From owner-freebsd-security  Mon Feb  4  9: 3:37 2002
Delivered-To: freebsd-security@freebsd.org
Received: from pkl.net (spoon.pkl.net [212.111.57.14])
	by hub.freebsd.org (Postfix) with ESMTP id F202E37B41A
	for <freebsd-security@FreeBSD.ORG>; Mon,  4 Feb 2002 09:03:26 -0800 (PST)
Received: (from cez@localhost)
	by pkl.net (8.9.3/8.9.3) id RAA13046;
	Mon, 4 Feb 2002 17:03:08 GMT
Date: Mon, 4 Feb 2002 17:03:08 GMT
Message-Id: <200202041703.RAA13046@pkl.net>
From: Ceri Storey <cez@pkl.net>
To: Petko Popadiyski <petko@freebsd-bg.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Reliable shell logs
References: <20020204152325.GA64082@fbi.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020204152325.GA64082@fbi.gov>
X-Mutt-References: <20020204152325.GA64082@fbi.gov>
X-Mutt-Fcc: =mbox
Status: RO
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Feb 04, 2002 at 05:23:25PM +0200, Petko Popadiyski wrote:
> I don't think that .history file is reliable. In my case the shell
You'd be right there. 

> in it only "rm .history". I would like to know is there a way to
> log the used commands incrementally with syslogd , which will provide
> secure logging (if syslogd uses another computer for storing them).

Yes, there's a wonderful thing known as process accounting, which will
record every command excecuted. Although i'm unsure whether it's
possible to log command line arguments. 

>  Also i would like to ask hot to make a user .history file unaccessible
>  for his owner ( to prevent it from deleting)?
use "chflags sappend <file>", this will set the "system append only
flag", ie: you may only append to the file, and it's only set/unsettable
by root. 

In any case, there's nothing stopping a user from running his own shell
(unless you've taken somewhat fachist measures to prevent this, eg:
mounting user-writable filesystems no-execute) which does not log
commands issued.
-- 
Ceri Storey <cez@pkl.net> http://pkl.net/~cez/
vi(1)! postfix(7)! pie(5)!

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message