Re: History Files

[gj () HAGENAARS COM (Gert-Jan Hagenaars)]

Apparently, Corwin J. Grey wrote:
% Everyone keeps mentioning process accounting. That works well (and I use it
% in addition to appendonly/uneraseable attributes on .bash_history). However,
% a history file is much easier to scan through and look for patterns of
% activity. Is a user trying to wipe their history file? Why? What are they
% trying to hide? Are they ftping lots of files from a site, compiling them,
% then erasing the directories? Very odd. Investigate further. Process
% accounting show what specific processes a user ran, but it doesn't show what
% they tried to run (and failed). Did they try to run showexport (not
% installed on our box)? That won't show in psacct. Did they cat the passwd
% file? Did they try to cat the shadow file? Patterns more than explicit
% programs are important.

What you're essentially talking about is keystroke logging.  This should
_not_ be done at the shell level.  Hack your telnetd, rexecd, rshd,
sshd (etc.) to log keystrokes to a file.  To another box if you're
really paranoid.

CHeers,
Gert-Jan.

--
+++++++++++++ -------- +++++ --- ++ - +0+ + ++ +++ +++++ ++++++++ +++++++++++++
sed '/^[when][coders]/!d         G.J.W. Hagenaars -- gj at hagenaars dot com
    /^...[discover].$/d          Remembering Mike Carty 1968-1994
   /^..[real].[code]$/!d         UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix
' /usr/dict/words                I'm Dutch, what's _your_ excuse?