From owner-freebsd-security@FreeBSD.ORG  Wed Jan  7 12:39:24 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A59AB16A4CE
	for <freebsd-security@freebsd.org>;
	Wed,  7 Jan 2004 12:39:24 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 593D143D41
	for <freebsd-security@freebsd.org>;
	Wed,  7 Jan 2004 12:39:23 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i07Kc0Ud010638;
	Wed, 7 Jan 2004 15:38:00 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)i07Kc0Uf010635;
	Wed, 7 Jan 2004 15:38:00 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Wed, 7 Jan 2004 15:38:00 -0500 (EST)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Richard Bejtlich <richard_bejtlich@yahoo.com>
In-Reply-To: <20040106210430.28516.qmail@web60806.mail.yahoo.com>
Message-ID: <Pine.NEB.3.96L.1040107153538.6025F-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
Subject: Re: Logging user activities
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jan 2004 20:39:24 -0000


On Tue, 6 Jan 2004, Richard Bejtlich wrote:

> What do you recommend for keeping track of user activities?  For
> preserving bash histories I followed these recommendations: 
> 
> http://www.defcon1.org/secure-command.html
> 
> They include using 'chflags sappnd .bash_history', enabling process
> accounting, and the like. 
> 
> My goal is to "watch the watchers," i.e. watch for abuse of power by SOC
> people with the ability to view traffic captured by sniffers. 
> 
> I plan to use sudo to limit and audit user activities too.  I may also
> try some of the patches to bash listed at project.honeynet.org which
> send keystrokes to a remote server.  Hardware keystroke logging is
> always a possibility. 
> 
> For more, should I turn to TrustedBSD integration in a future 5.x
> release? 

One of the "Coming soon" features for the next year will be Audit support
for FreeBSD, based on some work we did on a related operating system
platform.  There's been some prior work on Audit on FreeBSD, but it's
never been completed and merged.  However, Audit requires some fairly
extensive changes, so I wouldn't look for it before August of 2004, I
think.  I've been vaguely thinking about taking a few weeks off work to
jumpstart it, but I haven't really found time.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Senior Research Scientist, McAfee Research