From owner-freebsd-security Mon Feb 4 15: 7:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by hub.freebsd.org (Postfix) with ESMTP id E464537B400 for ; Mon, 4 Feb 2002 15:07:21 -0800 (PST) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.6/8.11.6) with ESMTP id g14N9BX53776 for ; Tue, 5 Feb 2002 01:09:11 +0200 (EET) (envelope-from domas.mituzas@delfi.lt) X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Tue, 5 Feb 2002 01:09:11 +0200 (EET) From: Domas Mituzas X-X-Sender: To: Subject: Re: Reliable shell logs In-Reply-To: <3C5F0E7B.4020508@rambo.simx.org> Message-ID: <20020205010230.U49413-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there, > And what stops the user from changing his shell? 'chsh' > would let him change shell to csh, tcsh or whatever is > available on the system, right? How can I prevent this? as well as nothing prevents user from invoking perl and running shell comands from there. or... putting his own wrapper for syscall(SYS_exec,). Userland isn't solution. Process accounting maybe is. Or even syscall accounting, aka auditing (TrustedBSD part?). Or the best way - do not let users invoke any commands on your system at all. Least privillege principle still works. Of course, if you still wish to track your users, you should track all communication your system does with outer world - keyboards, network bits coming to both sides. If you have too many of bits coming to and thro, you'd find how to filter not interesting ones. And then you'll have what is called IDS, rather sensitive one, of course. Script kiddies can be traced using bash logs, but not blackhats. -- Cheers, Domas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message