Securituy - logging of user commands
Damien Fleuriot
ml at my.gd
Wed Jul 25 20:30:05 UTC 2012
On 25 Jul 2012, at 18:15, jb <jb.1234abcd at gmail.com> wrote:
> Damien Fleuriot <ml <at> my.gd> writes:
>
>> ...
>>> From my syslog.conf:
>> auth.info;authpriv.info /var/log/auth.log
>>
>> Yet I'm seeing not a trail in /var/log/auth.log , or messages, or even
>> in secure
>> ...
>
> # less /var/log/auth.log
> Feb 22 21:13:56 localhost newsyslog[1503]: logfile first created
> Feb 22 21:14:07 localhost login: login on ttyv0 as jb
> Feb 22 21:14:15 localhost su: jb to root on /dev/ttyv0
> ...
> Jul 25 15:23:48 localhost su: jb to root on /dev/pts/3
> Jul 25 17:25:05 localhost snoopy[50059]: [uid:0 sid:45449 tty:/dev/pts/2
> cwd:/usr/ports/security/snoopy filename:/usr/bin/touch]: touch
> /etc/ld.so.preload
> Jul 25 17:25:05 localhost snoopy[50060]: [uid:0 sid:45449 tty:/dev/pts/2
> cwd:/usr/ports/security/snoopy filename:/usr/bin/grep]: grep -c
> ^/usr/local/lib//snoopy.so /etc/ld.so.preload
> Jul 25 17:52:29 localhost snoopy[50145]: [uid:0 sid:46687 tty:/dev/pts/3
> cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log
> Jul 25 17:54:03 localhost snoopy[50148]: [uid:0 sid:46687 tty:/dev/pts/3
> cwd:/usr/home/jb filename:/usr/bin/touch]: touch test1
> Jul 25 17:54:08 localhost snoopy[50149]: [uid:0 sid:46687 tty:/dev/pts/3
> cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log
> [root at localhost /home/jb]#
>
> jb
>
Thanks for taking the time to show me it works, at least for you.
What fbsd and snoopy version might these be ?
More information about the freebsd-questions
mailing list