Date: Tue, 23 Jan 1996 13:32:54 +1030 (CST) From: Michael Smith <msmith@atrad.adelaide.edu.au> To: dbrockus@cyberhall.com (David Brockus) Cc: freebsd-security@freebsd.org Subject: Re: Logging user activity Message-ID: <199601230302.NAA21521@genesis.atrad.adelaide.edu.au> In-Reply-To: <Pine.BSF.3.91.960122122451.602C-100000@cyber1.cyberhall.com> from "David Brockus" at Jan 22, 96 12:32:17 pm
next in thread | previous in thread | raw e-mail | index | archive | help
David Brockus stands accused of saying: > > I am running FreeBSD 2.0.5R system. I believe there is a "hacked" > account on the system I maintain. I would to extensively monitor this > users activity. I want to log everything. Any there any suggestion on > how to set this up or can anybody recommend any packages to do this? A couple of things you can do; if their shell is one of the csh flavours, (most particularly tcsh) then you can set their history up (savehist in particular) controlled by readonly shell variables. Set the history length (first word in the 'savehist' variable) really high, say around the 10,000 mark. Then you can set the append-only flag on their .history file, and they're screwed. Bear in mind that this will immediately make them nervous. An alternative would be to use the process accounting stuff; look at 'ac' and 'accton' and 'lastcomm'. > David Brockus -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] "Who does BSD?" "We do Chucky, we do." [[
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601230302.NAA21521>