OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: User's .bash_history
From: ~jim (jjd+flQUEBIX.NET)
Date: Fri Sep 29 2000 - 16:34:44 CDT


Thus spaketh "Fyodor":
*> ~:Hate to tell you, but a readonly variable can't be re-exported. It's
*> ~:immutable.
*> ~:
*>
*> Missed the begging of the thread, sorry for the mess :). Anyway the point
*> of the post was that tweaking r/o varialbles, restricted shells, and
*> chrooted environments is too much hassle and smartheads will always find
*> ways around. I.g. if they have access to compilers or even just ability to
*> upload and exec their own binaries, they can spawn a copy of shell with
*> exect and set whichever environment they would want.
*>
*> it's much easier and more reliable to watch'em from kernel space. (until
*> they manage to root you first, they hardly can do much about it).

I came across this over on vuln-dev a few months ago. It's a simple litte
kernel module that lets you log all of your users commands through syslog -
heavy emphasis on the *all*. Because the log will fill up fast, especially
if you have a lot of users, you would probably be best off logging to another
machine if you're short on disk space (easily done since it's through syslog).

Alternatively you can easily modify it to only log certain mischevious users
or ignore the trusted ones (read: yourself). I've been using this for a while
now and it has proven its worth.

                   http://home.xnet.com/~perly/exec.c

All the best,
~jim

------------------------- /"\ ------------------------------
| ~jim distefano | \ / ASCII Ribbon Campaign |
| jjdayebixquay.etnay | X Against HTML & Outlook Mail |
| http://quebix.net/ | / \ http://www.thebackrow.net |
------------------------------------------------------------

#include <std/disclaimer.h>