Logging user activities

Jason Stone freebsd-security at dfmm.org
Tue Jan 6 18:31:37 PST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> What do you recommend for keeping track of user
> activities?  For preserving bash histories I followed
> these recommendations:
>
> http://www.defcon1.org/secure-command.html
>
> They include using 'chflags sappnd .bash_history',

I think that this has come up on this list before - check the archives.

anyway, my feeling on this is that relying on shell history tricks is
entirely the wrong approach - anyone who's going to be abusing a system is
going to turn off shell history first thing.  Any silly tricks you do to
try and prevent that can easily be worked around by using another shell,
or by running commands through a mechanism other than the shell (:!command
in vi, cat | xargs perl -ple 'system "$_"', etc).

sniffing tty's is a step up, though it's still possible to log in through
ssh/rsh and run commands without allocating a tty.

be cautious about sniffing tty's, though - if users log into other systems
from this system, or if they connect to services running locally that
require authentication, you'll be collecting a tidy pile of very sensitive
information all in one place, making for easy stealing.  consider using
crypto, streaming to another, more hardened host, securely destroying the
logs on a regular basis, etc.  and of course you should consider the legal
and ethical issues implicated by keystroke logging....

finally, process accounting will universally collect info on every process
that gets run, but it looks like it doesn't log arguments and that it caps
command names to sixteen characters, which is kind of limiting.


 -Jason

 --------------------------------------------------------------------------
 Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
 that he was insufficiently fondled when he was an infant.
	-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE/+2+DswXMWWtptckRArPiAKCQHnlWgWothPwydKju+4NAOwDqQwCfSJVD
aVA1fq9IUiBhYFh0yAShcVQ=
=pNg+
-----END PGP SIGNATURE-----

More information about the freebsd-security mailing list