From owner-freebsd-security@FreeBSD.ORG Wed Jan 7 23:45:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 007AB16A4CE for ; Wed, 7 Jan 2004 23:45:00 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id C33F043D49 for ; Wed, 7 Jan 2004 23:44:53 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 10039 invoked from network); 8 Jan 2004 07:42:37 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 8 Jan 2004 07:42:36 -0000 Received: (qmail 6397 invoked by uid 1000); 8 Jan 2004 07:44:50 -0000 Date: Thu, 8 Jan 2004 09:44:50 +0200 From: Peter Pentchev To: richard childers / kg6hac Message-ID: <20040108074450.GD692@straylight.m.ringlet.net> Mail-Followup-To: richard childers / kg6hac , freebsd-security@freebsd.org References: <20040107200059.0D9DF16A4D9@hub.freebsd.org> <3FFCD954.4090106@pacbell.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="C1iGAkRnbeBonpVg" Content-Disposition: inline In-Reply-To: <3FFCD954.4090106@pacbell.net> User-Agent: Mutt/1.5.5.1i cc: freebsd-security@freebsd.org Subject: Re: keystroke logging X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 07:45:00 -0000 --C1iGAkRnbeBonpVg Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 07, 2004 at 08:15:16PM -0800, richard childers / kg6hac wrote: > > > > > >What do you recommend for keeping track of user > >activities? For preserving bash histories I followed > >these recommendations: > > > >http://www.defcon1.org/secure-command.html > > > Interesting reading but, as others have noted, of limited use. >=20 > Keystroke logging can be disabled by - as others have noted - either=20 > spawning another (perhaps different) shell, using a remote shell ... or,= =20 > for those embarrassing 'oops' moments, `kill -9 $$` works nicely. Try it= =20 > and see. >=20 > Daemonized Networking Services has produced a standalone server=20 > configuration that uses a modified script(1) and .login to collect=20 > keystroke logs; the target users are consultants, or companies, whom=20 > administer highly secure networking equipment via serial links or=20 > command-line interfaces, and whose own business files, or customers -=20 > banks, say, or government agencies - require logs of what they did - for= =20 > purposes of auditing, disaster recovery, and liability-related issues. >=20 > This method captures every keystroke - including typos before hitting=20 > RETURN - and cannot be sabotaged. As an added advantage, the logs can be= =20 > immediately, or subsequently, forwarded via electronic mail, so that=20 > they are replicated in multiple places. I hope you've taken into consideration the fact that script(1) by default does not make any modifications to stdio's standard input/output buffering. Thus, the script files it creates are fully-buffered by default, which for normal files means that they are only actually written to when the buffer fills up, and the buffer is usually 1K to 8K in size (although I've seen systems with a BUFSIZ of 32K). This means that if anyone kills the script(1) process before the output has reached 1K (or 4K, or whatever) in size, *no* output will be logged, and even if the script process is killed afterwards, some of the output will be lost. Consider: [roam@straylight ~]> echo $$ 5781 [roam@straylight ~]> script outfile Script started, output file is outfile Starting interactive C shell [roam@straylight ~]> echo $$ 5914 [roam@straylight ~]> ps -o ppid -p $$ PPID 5913 [roam@straylight ~]> kill -HUP 5913Hangup [roam@straylight ~]> echo $$ 5781 [roam@straylight ~]> cat outfile Script started on Thu Jan 8 09:20:17 2004 [roam@straylight ~]> The -t option is of some help, although -t 0 could be implemented a bit more efficiently with the attached patch. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence is false. Index: src/usr.bin/script/script.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/usr.bin/script/script.c,v retrieving revision 1.20 diff -u -r1.20 script.c --- src/usr.bin/script/script.c 4 Sep 2002 23:29:06 -0000 1.20 +++ src/usr.bin/script/script.c 8 Jan 2004 07:39:00 -0000 @@ -150,10 +150,12 @@ if (child =3D=3D 0) doshell(argv); =20 - if (flushtime > 0) + if (flushtime > 0) { tvp =3D &tv; - else + } else { + setvbuf(fscript, NULL, _IONBF, 0); tvp =3D NULL; + } =20 start =3D time(0); FD_ZERO(&rfd); @@ -187,7 +189,7 @@ (void)fwrite(obuf, 1, cc, fscript); } tvec =3D time(0); - if (tvec - start >=3D flushtime) { + if (flushtime > 0 && tvec - start >=3D flushtime) { fflush(fscript); start =3D tvec; } --C1iGAkRnbeBonpVg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQE//Qpy7Ri2jRYZRVMRAodqAKC2oTjR0xCWzBQOxyBdmgzbVRX7JACfZlIs m9qbwW6jGWHFqZniHz2Y04g= =Kz5a -----END PGP SIGNATURE----- --C1iGAkRnbeBonpVg--