From owner-freebsd-security Mon Feb 4 15:23:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.slc.edu (Weir-01a.SLC.Edu [198.83.6.252]) by hub.freebsd.org (Postfix) with ESMTP id 364AA37B449 for ; Mon, 4 Feb 2002 15:23:20 -0800 (PST) Received: (from aschneid@localhost) by mail.slc.edu (8.11.6/8.11.6) id g14IN9d01720; Mon, 4 Feb 2002 18:23:09 GMT (envelope-from aschneid@mail.slc.edu) Date: Mon, 4 Feb 2002 18:23:09 +0000 From: Anthony Schneider To: Ceri Storey Cc: Petko Popadiyski , freebsd-security@FreeBSD.ORG Subject: Re: Reliable shell logs Message-ID: <20020204182309.C1633@mail.slc.edu> References: <20020204152325.GA64082@fbi.gov> <200202041703.RAA13046@pkl.net> <20020204121317.A16234@mail.slc.edu> <20020204175744.B1056@mail.slc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="KDt/GgjP6HVcx58l" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020204175744.B1056@mail.slc.edu>; from aschneid@mail.slc.edu on Mon, Feb 04, 2002 at 05:57:44PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --KDt/GgjP6HVcx58l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > Also i would like to ask hot to make a user .history file unaccessible > > for his owner ( to prevent it from deleting)? > use "chflags sappend ", this will set the "system append only > flag", ie: you may only append to the file, and it's only set/unsettable > by root.=20 a user may still change the histfile (tcsh) or HISTFILE (bash, zsh) variable to simply point to another file, such as /dev/null. You may make this variable readonly by issuing the shell-builtin command (bash and zsh): readonly HISTFILE If you put this in your system-wide shell config files and chflags them to be immutable, you can ensure that the history will be written only to the named HISTFILE. But, like someone else mentioned, this can easily be overcome by merely writing a simple perl shell and issuing system calls. I believe that there is/was a kernel module at some point which allowed for more extensive logging of commands (full command-line minus symbols interpreted by the shell) which gives for at least somewhat more detailed logging than your basic accounting, assuming of course that accounting can't be made to do this already. -Anthony. p.s. sincerest apologies to anyone who has received multiple copies of this email. I've been having a few mail difficulties. --KDt/GgjP6HVcx58l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxe0YwACgkQ+rDjkNht5F02mgCfcVX5UhNOSKAnng5Onv+2EKip JF0An3nwZxTu2PepT0yxy6yx5orJzFfH =R+3H -----END PGP SIGNATURE----- --KDt/GgjP6HVcx58l-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message