Date: Tue, 06 Jul 1999 01:47:18 -0700 From: Dean <dean@thegrid.net> To: freebsd-security@FreeBSD.ORG Subject: Re: Tracking Root Users Message-ID: <4.1.19990706014149.00963570@mail.thegrid.net> In-Reply-To: <Pine.BSF.4.10.9907011457520.38657-100000@phoenix.unacom.co m>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:04 PM 7/1/99 -0400, Master Of Spirits wrote: >I have found that the simplest way (which I use myself) it a few >modifictions to the shells themself, and to syslog.conf. For the purposes >of tracking commands used by uid 0, the shells script waits for su to >send a confirmed su signal and then logs to a log file and continues to >log all commands sent through the shell untill su sends a termination >signal. This bypasses syslog entirely save for the notification of a >failed or successful SU attempts. Minor adustments could also pipe this >feedback to a printer or external device, thus removing the possibility of >hackers editing the logs themselves. > >-= UNACOM System Admin =- That is a great idea, but an attacker could simply change shells directly after su-ing. I suppose all you need do is build this extra logging into each shell you have on your machines. Course, the attacker could import his own shell to get around that.... Maybe some sort of program that listens to the tty. My two cents, Dean ------------------------------------------------------------------------------- A train stops at a train station, a bus stops at a bus staion. On my desk, I have a workstation.... ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990706014149.00963570>