From owner-freebsd-security  Mon Jan 17 18: 7: 2 2000
Delivered-To: freebsd-security@freebsd.org
Received: from intranova.net (blacklisted.intranova.net [209.3.31.70])
	by hub.freebsd.org (Postfix) with SMTP id 0CC9514D2D
	for <freebsd-security@FreeBSD.ORG>; Mon, 17 Jan 2000 18:06:58 -0800 (PST)
	(envelope-from oogali@intranova.net)
Received: (qmail 27669 invoked from network); 17 Jan 2000 21:09:06 -0000
Received: from hydrant.intranova.net (user69996@209.201.95.10)
  by blacklisted.intranova.net with SMTP; 17 Jan 2000 21:09:06 -0000
Date: Mon, 17 Jan 2000 21:04:07 -0500 (EST)
From: Omachonu Ogali <oogali@intranova.net>
To: Adam <bsdx@looksharp.net>
Cc: Will Andrews <andrews@TECHNOLOGIST.COM>,
	freebsd-security@FreeBSD.ORG
Subject: RE: Parent Logging Patch for sh(1)
In-Reply-To: <Pine.BSF.4.21.0001171536040.68131-100000@sapphire.looksharp.net>
Message-ID: <Pine.BSF.4.10.10001172101390.96286-100000@hydrant.intranova.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

http://tribune.intranova.net/archives/sh-log+access.patch adds uid and
username logging along with a deny list (/etc/sh.deny).

And in reference to Keith Stevenson's 'So?', if you can determine the
point of entry in an intrusion you can backtrack to where it originated,
the main reason I created that patch was to allow a system administrator
to backtrack in the case of an intrusion.

Omachonu Ogali
Intranova Networking Group

On Mon, 17 Jan 2000, Adam wrote:

> I haven't looked at it but it sounds like something useful to me.  
> 
> On Sun, 16 Jan 2000, Omachonu Ogali wrote:
> 
> > I thought it would benefit those who are security minded. Why shouldn't I
> > have posted it?
> > 
> > Omachonu Ogali
> > Intranova Networking Group
> > 
> > On Sun, 16 Jan 2000, Will Andrews wrote:
> > 
> > > On 16-Jan-00 Omachonu Ogali wrote:
> > > > After applied, sh(1) will log the parent process ID and name that executed
> > > > it into syslog. Available from
> > > > http://tribune.intranova.net/archives/sh-log.patch
> > > 
> > > Is there any (valid) reason why you posted this here?
> > > 
> > > --
> > > Will Andrews <andrews@technologist.com>
> > > GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w---
> > > ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ 
> > > G++>+++ e->++++ h! r-->+++ y?
> > > 
> > 
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> > 
> > 
> 
> 




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message