|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: AW: [suse-security] Log/Audit all user commands
From: Cees van de Griend (cees-list
griend.xs4all.nl)
Date: Fri May 30 2003 - 09:55:03 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wednesday 28 May 2003 09:34, Ulrich Roth wrote:
> Hi Ricardo,
>
> > Hi, I am having a little problem I need to solve
> > quickly. I have one intruder (long to explain now)
> > which edited the passwd file and set his user with 0
> > id (as root). I don't want to block him. I want to log
> > all his actions, moves, commands, etc. How can I do
> > that?
>
> If he didn't disable it or uses another shell, you can
> have a look at his ~/.bash_history.
I believe I've seen a patch for bash somewhere to send all commands to
syslogd.
If you can't find it, it should not be difficult to find the place in the
sources where the logging to '~/.bash_history' is done and add a few lines of
code to log it to a syslog facility.
You can send all syslog messages to a remote host, which you should lock down
very tight.
As someone else noted, remove all shells except this patched version of bash.
Regards,
Cees.
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]