From owner-freebsd-hackers  Mon Feb 10 18: 3:14 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4F6CB37B401; Mon, 10 Feb 2003 18:03:13 -0800 (PST)
Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4438443FCB; Mon, 10 Feb 2003 18:03:12 -0800 (PST)
	(envelope-from julian@elischer.org)
Received: from interjet.elischer.org (12-232-168-4.client.attbi.com[12.232.168.4])
          by sccrmhc01.attbi.com (sccrmhc01) with ESMTP
          id <2003021102031100100g14aee>; Tue, 11 Feb 2003 02:03:11 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id SAA52367;
	Mon, 10 Feb 2003 18:03:08 -0800 (PST)
Date: Mon, 10 Feb 2003 18:03:07 -0800 (PST)
From: Julian Elischer <julian@elischer.org>
To: hackers@freebsd.org, des@freebsd.org
Subject: Some "security" questions.
Message-ID: <Pine.BSF.4.21.0302101752500.49102-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


Our client wants the following 'features' 
and we'd LIKE to be able to at least say "yes we can do that", even if
we can also say "but we don't think it's a good idea".


1/ Command logging. We're thinking that a hacked version of the shell
that logs commands may do what they want, but personally I
think that if you are going to log things then you really want to
PROPERLY do it, and log the EXEC commands along with the arguments.
(sadmin et al. doesn't give arguments, and neither does ktrace)

2/ they want to disable a login if it fails 'n' sequential logins
anywhere in the system. i.e. 2 on one machine followed by another on
another machine.

#2 sounds like a great DOS to me.. 
operator<CR>
<CR>
operator<CR>
<CR>
operator<CR>
<CR>
heh heh heh
but they want it..

So, does anyone have any suggestions of how these can be achieved
using exisiting s/w? 

I can immagine using pam_radius, and hacking a radius server 
to track login fails.. Anyone have any better ideas?
Maybe a pam_module specially written? (hmmmm)


Anyoone have any modules to REALLY log execs?



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message