From owner-freebsd-questions  Mon Dec  4  0:50:30 2000
From owner-freebsd-questions@FreeBSD.ORG  Mon Dec  4 00:50:28 2000
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 4198E37B400
	for <questions@freebsd.org>; Mon,  4 Dec 2000 00:50:28 -0800 (PST)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Mon, 4 Dec 2000 00:48:51 -0800
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eB48oLs45444;
	Mon, 4 Dec 2000 00:50:21 -0800 (PST)
	(envelope-from cjc)
Date: Mon, 4 Dec 2000 00:50:21 -0800
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Chris Byrnes <chris@jeah.net>
Cc: questions@FreeBSD.ORG
Subject: Re: Logging outside of home directory
Message-ID: <20001204005021.C99903@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <Pine.BSF.4.21.0012032349420.40165-100000@awww.jeah.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.21.0012032349420.40165-100000@awww.jeah.net>; from chris@jeah.net on Sun, Dec 03, 2000 at 11:50:30PM -0600
Sender: cjc@149.211.6.64.reflexcom.com
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, Dec 03, 2000 at 11:50:30PM -0600, Chris Byrnes wrote:
> I'm looking for a way to log all shell activity to a place
> where the individual user can't see it's being logged to, and
> if possible, cannot tamper with the log file.
> 
> I'd like it to work for all shells (bash, tcsh, csh, etc).
> 
> Anyone have a program or script?

I don't see a reasonable way to do this if you are thinking about
using the builtin "history" mechanism of the shells. At least not
without hacking the source code of each shell. The history mechanisms
are there for exploitation by the user, not the administrator, and
therefore are easy for the user to monitor and to change.

One possibility is to use the builtin accounting functionality. See
accton(8), sa(8), lastcomm(1), and acct(5) for more information.
This would be a reasonable solution for usage statitics and very basic
security monitoring (on unsophisticated users).

None of these options is practical for comprehensive security
auditing. I can't tell from your brief mail what your intentions are.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message