Re: process accounting

• Previous message: De Velopment: "Re: more on linux hardening"
• In reply to: Reveret Julien: "Re: process accounting"
• Next in thread: Gergely Czuczy: "Re: process accounting"
• Reply: Gergely Czuczy: "Re: process accounting"
• Reply: Patrascu Eugeniu: "Re: process accounting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 27 May 2003 18:50:06 -0400
To: Reveret Julien <shaddai@nerim.net>

On Tue, May 27, 2003 at 07:15:02PM +0200, Reveret Julien wrote:
> > > What you can do is patch your system with grsec patches, or patch your
> > > users' shell. There is a patch for bash which makes bash logs everything
> > > that is typed (I don't remember the url, search for bash+logging+patch).
> >
> >
> > Why don't you use the good old process accounting feature ?
>
> Because this guy wants to log all the arguments of every command run by
> users, process accounting doesn't.

also, there are commands which bash will execute, but do not
translate into a separate command (builtins). these include,
but are not limited to: cd, dirs, for, while, alias, set,
export, <variable-assignment>, <file-sourcing>, and so forth.

an interesting approach would be to do something like:

        cat < /etc/passwd

the user ran "cat" and that is logged, but the interesting
part of the activity (namely the looking at the password
file) is not logged.

more, the following script:

        while read line
        do
                echo $line
        done < /etc/passwd

is all shell builtin's, nothing will be logged as no exec's
occur, but i've read the password file nonetheless.

-- 
Mark Smith
mark at winksmith dot com
mark at tux dot org

• Previous message: De Velopment: "Re: more on linux hardening"
• In reply to: Reveret Julien: "Re: process accounting"
• Next in thread: Gergely Czuczy: "Re: process accounting"
• Reply: Gergely Czuczy: "Re: process accounting"
• Reply: Patrascu Eugeniu: "Re: process accounting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: In vi/vim delete lines ... I frequently delete to a mark. ... | A buffer containing lines is put only once, ... | If the last command before a `.' ... The basic meta-characters for the replacement pattern are `&' and `~'; ... (comp.unix.shell) Re: Start up messed up ... ... Mark tried your advice:result netchwindsockreset_enter:not recognized as ... "Mark L. Ferguson" wrote: ... > the netsh command in SP2 can rebuild your Winsock. ... >> Daffodills in Trouble! ... (microsoft.public.windowsxp.help_and_support) Re: Fixing a registry permissions issue? ... Your saying to go into the Recovery console and perform the command as shown? ... "Mark L. Ferguson" wrote: ... I want to fix the other boot ... (microsoft.public.windowsxp.help_and_support) Re: Copying files over the Network ... I had previously taken the time to read the appropriate stanzas in the commands documentation relating to Permissions and command behavior when using root. ... Mark, your recommendation to use who am i proved to be the key to the issue. ... (AIX-L) Re: Fw: AS400 ... apparently RACF already has profiles in OPERCMDS to limit ... the options JES2 uses on the RACROUTE REQUEST=AUTH request. ... $TDEBUG command. ... Of Mark Zelden ... (bit.listserv.ibm-main)