From owner-freebsd-security@FreeBSD.ORG Tue Jan 6 13:04:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 085D116A4CE for ; Tue, 6 Jan 2004 13:04:35 -0800 (PST) Received: from web60806.mail.yahoo.com (web60806.mail.yahoo.com [216.155.196.69]) by mx1.FreeBSD.org (Postfix) with SMTP id BED7A43D1D for ; Tue, 6 Jan 2004 13:04:33 -0800 (PST) (envelope-from richard_bejtlich@yahoo.com) Message-ID: <20040106210430.28516.qmail@web60806.mail.yahoo.com> Received: from [68.84.6.72] by web60806.mail.yahoo.com via HTTP; Tue, 06 Jan 2004 13:04:30 PST Date: Tue, 6 Jan 2004 13:04:30 -0800 (PST) From: Richard Bejtlich To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Logging user activities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2004 21:04:35 -0000 Hello, What do you recommend for keeping track of user activities? For preserving bash histories I followed these recommendations: http://www.defcon1.org/secure-command.html They include using 'chflags sappnd .bash_history', enabling process accounting, and the like. My goal is to "watch the watchers," i.e. watch for abuse of power by SOC people with the ability to view traffic captured by sniffers. I plan to use sudo to limit and audit user activities too. I may also try some of the patches to bash listed at project.honeynet.org which send keystrokes to a remote server. Hardware keystroke logging is always a possibility. For more, should I turn to TrustedBSD integration in a future 5.x release? Thank you, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus