Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: History Files

From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Sat, 15 Apr 2000 17:16:35 -0700

Shell logging is tricky, since so many things that can act as shells are
laying around the typical system.

syscall logging would be more complete, but may give a rougher picture
of what's going on (i.e. compare a history file with truss output.)

You could try some sort of tty logger, if the users aren't actively trying
to avoid logging (they can always write their own net daemon that will
exec stuff on behalf of the user, no tty involved.)

I have a few questions about the syscall logging method.. It seems
pretty clear that one could start logging syscalls at a particular PID,
and pick up all the children as well.  I know as root, I can easily run
stuff that will pick up a ppid of 1.  Does a typical end user have a
way of ditching their parent id without busting root?  Cron?  At?

Does the Orange Book address any of this?

                                        BB
Previous By Date Next
Previous By Thread Next

Current thread: