Re: process accounting

mark.securityfocus_at_winksmith.com
Date: 05/28/03

  • Next message: Andrew Griffiths: "Re: more on linux hardening"
    Date: Tue, 27 May 2003 18:50:06 -0400
    To: Reveret Julien <shaddai@nerim.net>
    
    

    On Tue, May 27, 2003 at 07:15:02PM +0200, Reveret Julien wrote:
    > > > What you can do is patch your system with grsec patches, or patch your
    > > > users' shell. There is a patch for bash which makes bash logs everything
    > > > that is typed (I don't remember the url, search for bash+logging+patch).
    > >
    > >
    > > Why don't you use the good old process accounting feature ?
    >
    > Because this guy wants to log all the arguments of every command run by
    > users, process accounting doesn't.

    also, there are commands which bash will execute, but do not
    translate into a separate command (builtins). these include,
    but are not limited to: cd, dirs, for, while, alias, set,
    export, <variable-assignment>, <file-sourcing>, and so forth.

    an interesting approach would be to do something like:

            cat < /etc/passwd

    the user ran "cat" and that is logged, but the interesting
    part of the activity (namely the looking at the password
    file) is not logged.

    more, the following script:

            while read line
            do
                    echo $line
            done < /etc/passwd

    is all shell builtin's, nothing will be logged as no exec's
    occur, but i've read the password file nonetheless.

    -- 
    Mark Smith
    mark at winksmith dot com
    mark at tux dot org
    

  • Next message: Andrew Griffiths: "Re: more on linux hardening"

    Relevant Pages

    • No one. believes a word you say anymore Mark ;-)
      ... Considering I have been using WSR for two years now ALL the time. ... Now granted I have only been using Dragon Pro since November last year, but with expert advice and getting my head down to learn the commands, I am quite proficient with this now. ... Catch up Mark for gawd's sake. ... In that instance, Dragon is a toy, that's why your company felt the need to pinch the show numbers command from WSR;-). ...
      (microsoft.public.windows.vista.general)
    • Re: In vi/vim delete lines
      ... I frequently delete to a mark. ... | A buffer containing lines is put only once, ... | If the last command before a `.' ... The basic meta-characters for the replacement pattern are `&' and `~'; ...
      (comp.unix.shell)
    • Re: Populat a NewRecord from Text boxes Revisited
      ... earlier post were a little wide of the mark. ... The Form has two text boxes ... I used a command button (the command button wizard, record operations,Add ... field (fldName in my example). ...
      (comp.databases.ms-access)
    • Re: Start up messed up ...
      ... Mark tried your advice:result netchwindsockreset_enter:not recognized as ... "Mark L. Ferguson" wrote: ... > the netsh command in SP2 can rebuild your Winsock. ... >> Daffodills in Trouble! ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Populat a NewRecord from Text boxes Revisited
      ... I am posting this question a second time because the responses to my earlier post were a little wide of the mark. ... I am using Access 2000 and I would like to make a data entry form with a two text boxes. ... I used a command button (the command button wizard, record operations,Add ... I have assumed that you have heeded previous advice to rename the Name field (fldName in my example). ...
      (comp.databases.ms-access)