Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: AW: [suse-security] Log/Audit all user commands
From: Cees van de Griend (cees-listgriend.xs4all.nl)
Date: Fri May 30 2003 - 09:55:03 CDT
On Wednesday 28 May 2003 09:34, Ulrich Roth wrote:
> Hi Ricardo,
> > Hi, I am having a little problem I need to solve
> > quickly. I have one intruder (long to explain now)
> > which edited the passwd file and set his user with 0
> > id (as root). I don't want to block him. I want to log
> > all his actions, moves, commands, etc. How can I do
> > that?
> If he didn't disable it or uses another shell, you can
> have a look at his ~/.bash_history.
I believe I've seen a patch for bash somewhere to send all commands to
If you can't find it, it should not be difficult to find the place in the
sources where the logging to '~/.bash_history' is done and add a few lines of
code to log it to a syslog facility.
You can send all syslog messages to a remote host, which you should lock down
As someone else noted, remove all shells except this patched version of bash.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here