From owner-freebsd-security  Mon Jan 22 19:11:24 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id TAA20892
          for security-outgoing; Mon, 22 Jan 1996 19:11:24 -0800 (PST)
Received: from tulpi.interconnect.com.au (root@tulpi.interconnect.com.au [192.189.54.18])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id TAA20771
          for <freebsd-security@freebsd.org>; Mon, 22 Jan 1996 19:09:39 -0800 (PST)
Received: (from ahill@localhost) by tulpi.interconnect.com.au id OAA02122
  (8.6.11/IDA-1.6); Tue, 23 Jan 1996 14:08:22 +1100
Date: Tue, 23 Jan 1996 14:08:18 +1100 (EST)
From: Anthony Hill <ahill@interconnect.com.au>
To: David Brockus <dbrockus@cyberhall.com>
cc: freebsd-security@freebsd.org
Subject: Re: Logging user activity
In-Reply-To: <Pine.BSF.3.91.960122122451.602C-100000@cyber1.cyberhall.com>
Message-ID: <Pine.BSI.3.91.960123134711.25661B-100000@tulpi.interconnect.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
Precedence: bulk



Anthony Hill        
ahill@connect.com.au 

On Mon, 22 Jan 1996, David Brockus wrote:

> I am running FreeBSD 2.0.5R system.  I believe there is a "hacked" 
> account on the system I maintain.  I would to extensively monitor this 
> users activity.  I want to log everything.  Any there any suggestion on 
> how to set this up or can anybody recommend any packages to do this?
> Thanks in advance.

Not for 2.05, but 2.1 has the really evil/cool "watch", which lets you 
view/log EVERYTHING that goes through any other tty. You have to compile 
the "snoop" device into you kernel, then just type "watch 'tty'" !
You can even control the other guys tty. (Dont let the bad guys get hold of 
this one !)

Anthony Hill