From owner-freebsd-security  Mon Jan 22 18:55:12 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id SAA19586
          for security-outgoing; Mon, 22 Jan 1996 18:55:12 -0800 (PST)
Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id SAA19571
          for <freebsd-security@freebsd.org>; Mon, 22 Jan 1996 18:55:05 -0800 (PST)
Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id NAA21521; Tue, 23 Jan 1996 13:32:55 +1030
From: Michael Smith <msmith@atrad.adelaide.edu.au>
Message-Id: <199601230302.NAA21521@genesis.atrad.adelaide.edu.au>
Subject: Re: Logging user activity
To: dbrockus@cyberhall.com (David Brockus)
Date: Tue, 23 Jan 1996 13:32:54 +1030 (CST)
Cc: freebsd-security@freebsd.org
In-Reply-To: <Pine.BSF.3.91.960122122451.602C-100000@cyber1.cyberhall.com> from "David Brockus" at Jan 22, 96 12:32:17 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
Precedence: bulk

David Brockus stands accused of saying:
> 
> I am running FreeBSD 2.0.5R system.  I believe there is a "hacked" 
> account on the system I maintain.  I would to extensively monitor this 
> users activity.  I want to log everything.  Any there any suggestion on 
> how to set this up or can anybody recommend any packages to do this?

A couple of things you can do; if their shell is one of the csh flavours,
(most particularly tcsh) then you can set their history up (savehist 
in particular) controlled by readonly shell variables.  Set the
history length (first word in the 'savehist' variable) really high, say
around the 10,000 mark.

Then you can set the append-only flag on their .history file, and they're
screwed.  Bear in mind that this will immediately make them nervous.

An alternative would be to use the process accounting stuff; look at
'ac' and 'accton' and 'lastcomm'.

> 	   					David Brockus

-- 
]] Mike Smith, Software Engineer        msmith@atrad.adelaide.edu.au    [[
]] Genesis Software                     genesis@atrad.adelaide.edu.au   [[
]] High-speed data acquisition and      (GSM mobile) 0411-222-496       [[
]] realtime instrument control          (ph/fax)  +61-8-267-3039        [[
]] "Who does BSD?" "We do Chucky, we do."                               [[