Vulnerability Development mailing list archives
Re: History Files
From: cgrey () WCFAMILY COM (Corwin J. Grey)
Date: Sat, 15 Apr 2000 18:31:53 -0700
Everyone keeps mentioning process accounting. That works well (and I use it in addition to appendonly/uneraseable attributes on .bash_history). However, a history file is much easier to scan through and look for patterns of activity. Is a user trying to wipe their history file? Why? What are they trying to hide? Are they ftping lots of files from a site, compiling them, then erasing the directories? Very odd. Investigate further. Process accounting show what specific processes a user ran, but it doesn't show what they tried to run (and failed). Did they try to run showexport (not installed on our box)? That won't show in psacct. Did they cat the passwd file? Did they try to cat the shadow file? Patterns more than explicit programs are important. I use appendonly history files, process accounting, and hostsentry. Every single user I've caught trying to root our boxes has been not because a particular process showed up in process accounting, but because they started logging in at odd times, and trying to rm their history file.
Current thread:
- Fwd: RAZOR Analysis of dvwssr.dll, (continued)
- Fwd: RAZOR Analysis of dvwssr.dll Blue Boar (Apr 17)
- Re: History Files iconoclast (Apr 18)
- Re: History Files Bluefish (Apr 19)
- Re: History Files Dragos Ruiu (Apr 15)
- Re: History Files Crispin Cowan (Apr 15)
- Re: History Files Seth R Arnold (Apr 15)
- Re: History Files Omachonu Ogali (Apr 15)
- Re: History Files Corwin J. Grey (Apr 15)
- Re: History Files Corwin J. Grey (Apr 15)
- Re: History Files Omachonu Ogali (Apr 15)
- Re: History Files Corwin J. Grey (Apr 15)
- Re: History Files Gert-Jan Hagenaars (Apr 16)
- Re: History Files Bluefish (Apr 17)
- Re: History Files Omachonu Ogali (Apr 15)
- Re: History Files Mark Rafn (Apr 16)
- Alternative to historyfile logging. Joel Eriksson (Apr 17)
- Re: History Files Joel Eriksson (Apr 17)
- Re: History Files spiff (Apr 18)