From owner-freebsd-security  Mon Feb 11 18:17:35 2002
Delivered-To: freebsd-security@freebsd.org
Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67])
	by hub.freebsd.org (Postfix) with ESMTP id 82DA537B42F
	for <freebsd-security@FreeBSD.ORG>; Mon, 11 Feb 2002 18:16:16 -0800 (PST)
Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110])
	by newman2.bestweb.net (Postfix) with ESMTP
	id 3694E232A8; Mon, 11 Feb 2002 21:16:29 -0500 (EST)
Received: by okeeffe.bestweb.net (Postfix, from userid 0)
	id 1BFEA9F25C; Mon, 11 Feb 2002 21:11:38 -0500 (EST)
Date: Tue, 5 Feb 2002 08:47:15 -0600 (CST)
From: admin <admin@crimelords.org>
To: "Roger 'Rocky' Vetterberg" <listsub@rambo.simx.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Reliable shell logs
Message-Id: <20020212021138.1BFEA9F25C@okeeffe.bestweb.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

bofh bash and tcsh are at

http://www.ccitt5.net/new/

- emacs

On Mon, 4 Feb 2002, Roger 'Rocky' Vetterberg wrote:

> Geir R=E5ness wrote:
>
> > You always could set your users to the shell bash, that is patched with=
 the
> > "bofh" logging.
> > That's one way you could secure log your users, but it could be found.
> > It all depends on the intruder.
>
>
> Do you know where I could find this patch?
> I tried google.com/bsd and found a bounch of sh patches, but
> none for bash.
> And what stops the user from changing his shell? 'chsh'
> would let him change shell to csh, tcsh or whatever is
> available on the system, right? How can I prevent this?
>
> > This you can do something about however,  you can have an locale log se=
rver,
> > that the "shell" server sends the log to,
> > with upload access only.
> > So the intruder cant delete the logs, you probaly shuld make this serve=
r an
> > local login only.
> >
> > Geir R=E5ness
> > PulZ @ efnet
>
>
> --
> R
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message