Vulnerability Development mailing list archives
Re: History Files
From: Boris.Sagadin () AMIS NET (Boris Sagadin)
Date: Mon, 17 Apr 2000 12:28:55 +0200
I guess that this thread has been done to death by now, but I just wanted to add a couple of ideas. Would it be possible to wrap the exec() syscalls, and write the UID and exec() args to syslog? This would safely write a log of all successful AND un-successful commands to a location that is untouchable by non-root users. I guess that you could even get the call wrapper to check the return code from exec and write this to syslog also.
Not only possible, this has already been done, fox 2.x kernels anyway: * exec.c 1.0.4 by Pat Szuta <perly () xnet com> * * exec.c is a kernel module which allows administrators to log all the * commands executed by users. Although many have done this sort of * thing, I haven't seen any public releases, so here it is. * The basic output looks like this: Nov 15 00:42:27 perly kernel: EXECVE(0)[4837]: /bin/ps uax * The EXECVE()[] format is: EXECVE(UID)[PID]. * I suggest redirecting kern.info to your own file, because that's where * exec.c will log its stuff. You can do this by adding this line to * your /etc/sysconf.log, and restarting it: kern.info /path/to/myfile ... ... exec.c should be available somewhere on packetstorm, or I can send it on request.
Current thread:
- limited functionality accounts (was: Re: History Files), (continued)
- limited functionality accounts (was: Re: History Files) Marc Slemko (Apr 16)
- Re: limited functionality accounts (was: Re: History Files) Seth R Arnold (Apr 16)
- Re: limited functionality accounts (was: Re: History Files) Einar Indridason (Apr 26)
- Controlling a program's resource usage on Unix Bernie Cosell (Apr 16)
- Re: Controlling a program's resource usage on Unix Seth R Arnold (Apr 16)
- Re: Controlling a program's resource usage on Unix Isaac (Apr 21)
- Re: Controlling a program's resource usage on Unix Crispin Cowan (Apr 16)
- Re: Controlling a program's resource usage on Unix Matej Kovac (Apr 17)
- Re: Controlling a program's resource usage on Unix Pavel Kankovsky (Apr 18)
- Re: History Files David Taylor (Apr 16)
- Re: History Files Boris Sagadin (Apr 17)
- Fwd: RAZOR Analysis of dvwssr.dll Blue Boar (Apr 17)
- Re: History Files iconoclast (Apr 18)
- Re: History Files Bluefish (Apr 19)
- Re: History Files Crispin Cowan (Apr 15)
- Re: History Files Corwin J. Grey (Apr 15)
- Re: History Files Omachonu Ogali (Apr 15)