Date: Mon, 4 Feb 2002 18:23:09 +0000 From: Anthony Schneider <aschneid@mail.slc.edu> To: Ceri Storey <cez@pkl.net> Cc: Petko Popadiyski <petko@freebsd-bg.org>, freebsd-security@FreeBSD.ORG Subject: Re: Reliable shell logs Message-ID: <20020204182309.C1633@mail.slc.edu> In-Reply-To: <20020204175744.B1056@mail.slc.edu>; from aschneid@mail.slc.edu on Mon, Feb 04, 2002 at 05:57:44PM %2B0000 References: <20020204152325.GA64082@fbi.gov> <200202041703.RAA13046@pkl.net> <20020204121317.A16234@mail.slc.edu> <20020204175744.B1056@mail.slc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--KDt/GgjP6HVcx58l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > Also i would like to ask hot to make a user .history file unaccessible > > for his owner ( to prevent it from deleting)? > use "chflags sappend <file>", this will set the "system append only > flag", ie: you may only append to the file, and it's only set/unsettable > by root.=20 a user may still change the histfile (tcsh) or HISTFILE (bash, zsh) variable to simply point to another file, such as /dev/null. You may make this variable readonly by issuing the shell-builtin command (bash and zsh): readonly HISTFILE If you put this in your system-wide shell config files and chflags them to be immutable, you can ensure that the history will be written only to the named HISTFILE. But, like someone else mentioned, this can easily be overcome by merely writing a simple perl shell and issuing system calls. I believe that there is/was a kernel module at some point which allowed for more extensive logging of commands (full command-line minus symbols interpreted by the shell) which gives for at least somewhat more detailed logging than your basic accounting, assuming of course that accounting can't be made to do this already. -Anthony. p.s. sincerest apologies to anyone who has received multiple copies of this email. I've been having a few mail difficulties. --KDt/GgjP6HVcx58l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxe0YwACgkQ+rDjkNht5F02mgCfcVX5UhNOSKAnng5Onv+2EKip JF0An3nwZxTu2PepT0yxy6yx5orJzFfH =R+3H -----END PGP SIGNATURE----- --KDt/GgjP6HVcx58l-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020204182309.C1633>