From owner-freebsd-security Tue Jul 6 1:49:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from smtp.thegrid.net (smtp.thegrid.net [209.162.1.11]) by hub.freebsd.org (Postfix) with SMTP id 460A014BEF for ; Tue, 6 Jul 1999 01:49:18 -0700 (PDT) (envelope-from dean@thegrid.net) Received: (qmail 14534 invoked from network); 6 Jul 1999 08:49:17 -0000 Received: from pop.thegrid.net (209.162.1.5) by smtp.thegrid.net with SMTP; 6 Jul 1999 08:49:17 -0000 Received: from remus (oak-ts1-h1-48-198.ispmodems.net [209.162.48.198]) by pop.thegrid.net (8.9.1a/8.9.1) with SMTP id BAA17265 for ; Tue, 6 Jul 1999 01:49:15 -0700 (PDT) Message-Id: <4.1.19990706014149.00963570@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 06 Jul 1999 01:47:18 -0700 To: freebsd-security@FreeBSD.ORG From: Dean Subject: Re: Tracking Root Users In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:04 PM 7/1/99 -0400, Master Of Spirits wrote: >I have found that the simplest way (which I use myself) it a few >modifictions to the shells themself, and to syslog.conf. For the purposes >of tracking commands used by uid 0, the shells script waits for su to >send a confirmed su signal and then logs to a log file and continues to >log all commands sent through the shell untill su sends a termination >signal. This bypasses syslog entirely save for the notification of a >failed or successful SU attempts. Minor adustments could also pipe this >feedback to a printer or external device, thus removing the possibility of >hackers editing the logs themselves. > >-= UNACOM System Admin =- That is a great idea, but an attacker could simply change shells directly after su-ing. I suppose all you need do is build this extra logging into each shell you have on your machines. Course, the attacker could import his own shell to get around that.... Maybe some sort of program that listens to the tty. My two cents, Dean ------------------------------------------------------------------------------- A train stops at a train station, a bus stops at a bus staion. On my desk, I have a workstation.... ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message