From owner-freebsd-security@FreeBSD.ORG Fri Jan 9 06:06:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B722D16A4CE for ; Fri, 9 Jan 2004 06:06:39 -0800 (PST) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 306B743D3F for ; Fri, 9 Jan 2004 06:06:36 -0800 (PST) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id A0D153ABB55; Fri, 9 Jan 2004 15:06:57 +0100 (CET) Date: Fri, 9 Jan 2004 15:06:57 +0100 From: Pawel Jakub Dawidek To: Richard Bejtlich Message-ID: <20040109140656.GK9171@garage.freebsd.pl> References: <20040106210430.28516.qmail@web60806.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SEFvVLxbW/dEDtN8" Content-Disposition: inline In-Reply-To: <20040106210430.28516.qmail@web60806.mail.yahoo.com> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE-p13 i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-security@freebsd.org Subject: Re: Logging user activities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 14:06:39 -0000 --SEFvVLxbW/dEDtN8 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 06, 2004 at 01:04:30PM -0800, Richard Bejtlich wrote: +> They include using 'chflags sappnd .bash_history', +> enabling process accounting, and the like. =20 +>=20 +> My goal is to "watch the watchers," i.e. watch for +> abuse of power by SOC people with the ability to view +> traffic captured by sniffers. Just forget about those methods. The only right way for such things is to monitor execve(2) syscall on kernel level. Look at: http://garage.freebsd.pl/lrexec.README http://garage.freebsd.pl/lrexec.tbz --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --SEFvVLxbW/dEDtN8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBP/61gD/PhmMH/Mf1AQGkSwP9GIx7poVHKzzOCwE1J8+QccKxmrv21Dpf 7aze3CWvE+9IA368Lj4ZCfVAzii9fwcBgnoJ+3DEZqeZNs9qom2MkS2+P3zaP9da s9KbEmRYok2YL7bBIDzGUqCRbEFK4AtIMVc8vcuV0MTCy52ryzPFR5nCs513EJVT FFYQ+AWbbB8= =n5yg -----END PGP SIGNATURE----- --SEFvVLxbW/dEDtN8--