From owner-freebsd-security  Thu Aug 27 23:07:01 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA29362
          for freebsd-security-outgoing; Thu, 27 Aug 1998 23:07:01 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA29353
          for <security@FreeBSD.ORG>; Thu, 27 Aug 1998 23:06:55 -0700 (PDT)
          (envelope-from jkb@best.com)
Received: from localhost (jkb@localhost)
	by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id XAA06690;
	Thu, 27 Aug 1998 23:05:57 -0700 (PDT)
X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs
Date: Thu, 27 Aug 1998 23:05:56 -0700 (PDT)
From: "Jan B. Koum " <jkb@best.com>
X-Sender: jkb@shell6.ba.best.com
To: wkt@cs.adfa.oz.au
cc: security@FreeBSD.ORG
Subject: Re: Shell history 
In-Reply-To: <199808280519.PAA04932@henry.cs.adfa.oz.au>
Message-ID: <Pine.BSF.4.02A.9808272252190.5148-100000@shell6.ba.best.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 28 Aug 1998, Warren Toomey wrote:

>In article by Jan B. Koum:
>> 	What if the user would be to switch shell or to install their own?
>> 	I do not think one should depend on shell history to log all what
>> 	user does. How would YOU monitor what your users are
>> 	doing if you had to?
>
>	accton(8), lastcomm(1)
>
>		Warren
>
	
	Once can just "cp" the executable.

% cp /sbin/ifconfig ./.a
% ./.a -a
vx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
        ether 00:60:08:15:bc:65 
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000 

% lastcomm | grep ifconfig
% lastcomm | grep .a
lastcomm         -       jkb      ttyp3      0.00 secs Thu Aug 27 22:56 
.a               -       jkb      ttyp3      0.00 secs Thu Aug 27 22:56 

	And if the binary is setuid... exec:

% exec su
Password:
nfr# lastcomm
hostname         -       root     ttyp3      0.00 secs Thu Aug 27 22:52 
lastcomm         -S      root     ttyp2      0.00 secs Thu Aug 27 22:52 
lastcomm         -S      root     ttyp2      0.00 secs Thu Aug 27 22:52 
vi               -       jkb      ttyp3      0.03 secs Thu Aug 27 22:52 
lastcomm         -S      root     ttyp2      0.00 secs Thu Aug 27 22:51 
	
	I am sure there are probably many other ways around lastcomm. I
hope you are not relaying 100% on the output of lastcomm to tell you what
users are up to.

-- Yan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message