Vulnerability Development mailing list archives
quick dirty and most of all-easy process accounting via lkm
From: security () SUPPORTTEAM NET (Security Team)
Date: Sun, 16 Apr 2000 23:41:00 -0500
http://www.securityfocus.com/data/tools/exec.c this utility will log all execvs to syslog in the following format Nov 15 00:42:27 perly kernel: EXECVE(0)[4837]: /bin/ps uax EXECVE(UID)[PID]. combined with ngsyslogd you can have some really mean logging kw ----- Original Message ----- From: <chris () STRICTLY NOSUCKAZ NET> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Saturday, April 15, 2000 8:43 PM Subject: Re: History Files
Okay, all this talk about bofh, and nobody has mentioned the easiest
method of doing this, which is not new to linux and provides excellent accounting on what your users are doing, I'm not sure if this saves argv[1-x] but I think it does somehow, the base accounting log is enough. Turn on 'BSD Process Accounting' in your kernel and get the bsd process accounting package for your linux distribution. Now with the simple command: lastcomm, you see everything.
The only other 'secure' way I can think of doing this, that would achieve
the best results without using cludgy scripts or a massive overhead on some 'tail' process hanging off every shell's stdin fd, is have your shells patched to dump all input to a file or something. Process Accounting rocks though, I don't understand why your not using it already or why this wouldn't finish this thread. =)
Chris. On Sat, 15 Apr 2000, audit wrote: `->Greeting's, `-> `->I admin a few Linux servers and have a question about user's
.bash_history
`->files. The users on the systems keep their history files but I would
like
`->to have what they type logged to /root/history/$user_history `->I know that this is not polite on my end or the other co-admin's but we `->need to know what our users are doing at all times. These are slackware `->boxes and some RedHat boxes. `-> `->Thanks `->
Current thread:
- Re: History Files, (continued)
- Re: History Files Michael Jennings (Apr 15)
- Re: History Files Mark Rafn (Apr 16)
- Alternative to historyfile logging. Joel Eriksson (Apr 17)
- Re: History Files Joel Eriksson (Apr 17)
- Re: History Files spiff (Apr 18)
- Re: History Files Corwin J. Grey (Apr 16)
- Re: History Files Michael Jennings (Apr 16)
- Cooments on the dvwssr.dll vulnerability threads Iván Arce (Apr 17)
- Re: History Files Michael Jennings (Apr 15)
- Re: History Files Senior Systems Administrator - Kris W. (Apr 16)
- quick dirty and most of all-easy process accounting via lkm Security Team (Apr 16)
- Re: History Files George Dodd (Apr 18)
- Re: History Files Perly (Apr 19)
- Re: History Files joyce (Apr 19)
- non-exec stack Lamagra Argamal (Apr 19)
- Weakness of static addr & MySQL database Tompkins, William A (Apr 20)
- Re: Weakness of static addr & MySQL database Jim Kinney (Apr 20)
- Re: History Files Jeff Bachtel (Apr 15)
- Re: History Files Ron DuFresne (Apr 15)
- Re: History Files Erik Fichtner (Apr 15)