Vulnerability Development mailing list archives
Re: History Files
From: gj () HAGENAARS COM (Gert-Jan Hagenaars)
Date: Sun, 16 Apr 2000 14:45:03 -0400
Apparently, Corwin J. Grey wrote: % Everyone keeps mentioning process accounting. That works well (and I use it % in addition to appendonly/uneraseable attributes on .bash_history). However, % a history file is much easier to scan through and look for patterns of % activity. Is a user trying to wipe their history file? Why? What are they % trying to hide? Are they ftping lots of files from a site, compiling them, % then erasing the directories? Very odd. Investigate further. Process % accounting show what specific processes a user ran, but it doesn't show what % they tried to run (and failed). Did they try to run showexport (not % installed on our box)? That won't show in psacct. Did they cat the passwd % file? Did they try to cat the shadow file? Patterns more than explicit % programs are important. What you're essentially talking about is keystroke logging. This should _not_ be done at the shell level. Hack your telnetd, rexecd, rshd, sshd (etc.) to log keystrokes to a file. To another box if you're really paranoid. CHeers, Gert-Jan. -- +++++++++++++ -------- +++++ --- ++ - +0+ + ++ +++ +++++ ++++++++ +++++++++++++ sed '/^[when][coders]/!d G.J.W. Hagenaars -- gj at hagenaars dot com /^...[discover].$/d Remembering Mike Carty 1968-1994 /^..[real].[code]$/!d UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix ' /usr/dict/words I'm Dutch, what's _your_ excuse?
Current thread:
- Re: History Files, (continued)
- Re: History Files iconoclast (Apr 18)
- Re: History Files Bluefish (Apr 19)
- Re: History Files Dragos Ruiu (Apr 15)
- Re: History Files Crispin Cowan (Apr 15)
- Re: History Files Seth R Arnold (Apr 15)
- Re: History Files Omachonu Ogali (Apr 15)
- Re: History Files Corwin J. Grey (Apr 15)
- Re: History Files Corwin J. Grey (Apr 15)
- Re: History Files Omachonu Ogali (Apr 15)
- Re: History Files Corwin J. Grey (Apr 15)
- Re: History Files Gert-Jan Hagenaars (Apr 16)
- Re: History Files Bluefish (Apr 17)
- Re: History Files Omachonu Ogali (Apr 15)
- Re: History Files Mark Rafn (Apr 16)
- Alternative to historyfile logging. Joel Eriksson (Apr 17)
- Re: History Files Joel Eriksson (Apr 17)
- Re: History Files spiff (Apr 18)