Re: Logging user activities

From: Jason Stone (freebsd-security_at_dfmm.org)
Date: 01/07/04

  • Next message: Dag-Erling Smørgrav: "HEADS UP: OpenSSH 3.7.1p2" 
    Date: Tue, 6 Jan 2004 18:31:31 -0800 (PST)
To: freebsd-security@freebsd.org

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > What do you recommend for keeping track of user
    > activities? For preserving bash histories I followed
    > these recommendations:
    >
    > http://www.defcon1.org/secure-command.html
    >
    > They include using 'chflags sappnd .bash_history',

    I think that this has come up on this list before - check the archives.

    anyway, my feeling on this is that relying on shell history tricks is
    entirely the wrong approach - anyone who's going to be abusing a system is
    going to turn off shell history first thing. Any silly tricks you do to
    try and prevent that can easily be worked around by using another shell,
    or by running commands through a mechanism other than the shell (:!command
    in vi, cat | xargs perl -ple 'system "$_"', etc).

    sniffing tty's is a step up, though it's still possible to log in through
    ssh/rsh and run commands without allocating a tty.

    be cautious about sniffing tty's, though - if users log into other systems
    from this system, or if they connect to services running locally that
    require authentication, you'll be collecting a tidy pile of very sensitive
    information all in one place, making for easy stealing. consider using
    crypto, streaming to another, more hardened host, securely destroying the
    logs on a regular basis, etc. and of course you should consider the legal
    and ethical issues implicated by keystroke logging....

    finally, process accounting will universally collect info on every process
    that gets run, but it looks like it doesn't log arguments and that it caps
    command names to sixteen characters, which is kind of limiting.

     -Jason

     --------------------------------------------------------------------------
     Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
     that he was insufficiently fondled when he was an infant.
            -- Ashley Montagu
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.3 (FreeBSD)
    Comment: See https://private.idealab.com/public/jason/jason.gpg

    iD8DBQE/+2+DswXMWWtptckRArPiAKCQHnlWgWothPwydKju+4NAOwDqQwCfSJVD
    aVA1fq9IUiBhYFh0yAShcVQ=
    =pNg+
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Dag-Erling Smørgrav: "HEADS UP: OpenSSH 3.7.1p2"