From owner-freebsd-security  Mon Feb  4 14:43:36 2002
Delivered-To: freebsd-security@freebsd.org
Received: from rambo.simx.org (rambo.simx.org [194.17.208.54])
	by hub.freebsd.org (Postfix) with ESMTP id 397D037B425
	for <freebsd-security@FreeBSD.ORG>; Mon,  4 Feb 2002 14:43:28 -0800 (PST)
Received: from rambo.simx.org (rocky [192.168.0.2])
	by rambo.simx.org (8.11.6/8.11.6) with ESMTP id g14Mh8Z09287;
	Mon, 4 Feb 2002 22:43:12 GMT
	(envelope-from listsub@rambo.simx.org)
Message-ID: <3C5F0E7B.4020508@rambo.simx.org>
Date: Mon, 04 Feb 2002 23:43:07 +0100
From: "Roger 'Rocky' Vetterberg" <listsub@rambo.simx.org>
Reply-To: listsub@rambo.simx.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1
X-Accept-Language: en-us
MIME-Version: 1.0
To: Geir =?ISO-8859-1?Q?R=E5ness?= <geir@dropzone.as>
Cc: petko@freebsd-bg.org, freebsd-security@FreeBSD.ORG
Subject: Re: Reliable shell logs
References: <20020204152325.GA64082@fbi.gov> <001401c1ad9a$7be6d9e0$0100a8c0@elixor>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Geir Råness wrote:

> You always could set your users to the shell bash, that is patched with the
> "bofh" logging.
> That's one way you could secure log your users, but it could be found.
> It all depends on the intruder.


Do you know where I could find this patch?
I tried google.com/bsd and found a bounch of sh patches, but 
none for bash.
And what stops the user from changing his shell? 'chsh' 
would let him change shell to csh, tcsh or whatever is 
available on the system, right? How can I prevent this?

> This you can do something about however,  you can have an locale log server,
> that the "shell" server sends the log to,
> with upload access only.
> So the intruder cant delete the logs, you probaly shuld make this server an
> local login only.
> 
> Geir Råness
> PulZ @ efnet


--
R


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message