From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 20:15:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53A8C16A4CE for ; Wed, 7 Jan 2004 20:15:39 -0800 (PST) Received: from smtp807.mail.sc5.yahoo.com (smtp807.mail.sc5.yahoo.com [66.163.168.186]) by mx1.FreeBSD.org (Postfix) with SMTP id 9523D43D46 for ; Wed, 7 Jan 2004 20:15:37 -0800 (PST) (envelope-from fscked@pacbell.net) Received: from unknown (HELO pacbell.net) (fscked@pacbell.net@64.171.190.6 with plain) by smtp807.mail.sc5.yahoo.com with SMTP; 8 Jan 2004 04:15:37 -0000 Message-ID: <3FFCD954.4090106@pacbell.net> Date: Wed, 07 Jan 2004 20:15:16 -0800 From: richard childers / kg6hac Organization: Daemonized Networking Services - http://www.daemonized.com User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20040107200059.0D9DF16A4D9@hub.freebsd.org> In-Reply-To: <20040107200059.0D9DF16A4D9@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: keystroke logging X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fscked@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 04:15:39 -0000 > > >What do you recommend for keeping track of user >activities? For preserving bash histories I followed >these recommendations: > >http://www.defcon1.org/secure-command.html > Interesting reading but, as others have noted, of limited use. Keystroke logging can be disabled by - as others have noted - either spawning another (perhaps different) shell, using a remote shell ... or, for those embarrassing 'oops' moments, `kill -9 $$` works nicely. Try it and see. Daemonized Networking Services has produced a standalone server configuration that uses a modified script(1) and .login to collect keystroke logs; the target users are consultants, or companies, whom administer highly secure networking equipment via serial links or command-line interfaces, and whose own business files, or customers - banks, say, or government agencies - require logs of what they did - for purposes of auditing, disaster recovery, and liability-related issues. This method captures every keystroke - including typos before hitting RETURN - and cannot be sabotaged. As an added advantage, the logs can be immediately, or subsequently, forwarded via electronic mail, so that they are replicated in multiple places. We also have a network server configuration that incorporates everything described above, as well as an encrypted filesystem; although the encrypted filesystem is optional, and there are some unresolved issues related to backing up the contents - as well as recovering them - your entire home directory, including your personal startup files, are incorporated into the encrypted filesystem. Pretty cool; add a GUI, maybe an office suite, and we think we can give Windows 2000 a run for their money - in some quarters, at least. (Angel VCs are welcome; development isn't cheap, here in the Bay Area.) I mention this as a shameless plug for our products, which are based on FreeBSD, as well as pursuant to the topic at hand; incidentally, freely dispensing intellectual property that took years to acquire, in exchange. (Gotta stop that.) (You folks all signed NDAs, right?) (-; Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 https://www.daemonized.com