> On 8/4/02 9:14 PM, "Brian Pontz" <brianmothra.axehind.com> wrote:
> > Hello all,
> > I'm trying to make some patches for people that use OpenBSD
> > honeypots. Basically I want to log all shell commands made to a
> > file or syslog. I have already made some patches for the linux kernel but
> > now I want to do it for the OpenBSD kernel. Can anyone direct me to the
> > file to start with? I'm guessing it's in src/sys somewhere?

Approaches involving a modified shell are too easy to defeat; the article that
Colin Harford cited left me thinking "You can get a GIAC certification for that?" :-)

I've thought that login would be a good place to set up logging, since that would
work for any shell, and lets you run with an unmodifed shell, doesn't need an
obvious trojan in the .profile(!), etc.

If you want to modify the kernel, /sys/kern/kern_acct.c contains the function
acct_process() which writes the normal acct(5)-style accounting records to a file.
But then, if you're going to do this mod, you probably already found it instead of
waiting to be told where. :-)

You could extend the struct it writes to include the first "n" entries in argv, but then
you also have to modify the tools that process this file, since with character strings
it's a variable length field now.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]