Date: Tue, 5 Feb 2002 01:09:11 +0200 (EET) From: Domas Mituzas <midom@delfi.lt> To: <freebsd-security@FreeBSD.ORG> Subject: Re: Reliable shell logs Message-ID: <20020205010230.U49413-100000@axis.tdd.lt> In-Reply-To: <3C5F0E7B.4020508@rambo.simx.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi there, > And what stops the user from changing his shell? 'chsh' > would let him change shell to csh, tcsh or whatever is > available on the system, right? How can I prevent this? as well as nothing prevents user from invoking perl and running shell comands from there. or... putting his own wrapper for syscall(SYS_exec,). Userland isn't solution. Process accounting maybe is. Or even syscall accounting, aka auditing (TrustedBSD part?). Or the best way - do not let users invoke any commands on your system at all. Least privillege principle still works. Of course, if you still wish to track your users, you should track all communication your system does with outer world - keyboards, network bits coming to both sides. If you have too many of bits coming to and thro, you'd find how to filter not interesting ones. And then you'll have what is called IDS, rather sensitive one, of course. Script kiddies can be traced using bash logs, but not blackhats. -- Cheers, Domas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020205010230.U49413-100000>