Logging user activities
Robert Watson
rwatson at freebsd.org
Wed Jan 7 12:39:24 PST 2004
On Tue, 6 Jan 2004, Richard Bejtlich wrote:
> What do you recommend for keeping track of user activities? For
> preserving bash histories I followed these recommendations:
>
> http://www.defcon1.org/secure-command.html
>
> They include using 'chflags sappnd .bash_history', enabling process
> accounting, and the like.
>
> My goal is to "watch the watchers," i.e. watch for abuse of power by SOC
> people with the ability to view traffic captured by sniffers.
>
> I plan to use sudo to limit and audit user activities too. I may also
> try some of the patches to bash listed at project.honeynet.org which
> send keystrokes to a remote server. Hardware keystroke logging is
> always a possibility.
>
> For more, should I turn to TrustedBSD integration in a future 5.x
> release?
One of the "Coming soon" features for the next year will be Audit support
for FreeBSD, based on some work we did on a related operating system
platform. There's been some prior work on Audit on FreeBSD, but it's
never been completed and merged. However, Audit requires some fairly
extensive changes, so I wouldn't look for it before August of 2004, I
think. I've been vaguely thinking about taking a few weeks off work to
jumpstart it, but I haven't really found time.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Senior Research Scientist, McAfee Research
More information about the freebsd-security
mailing list