"tlunt@ARPA.MIL wrote:" [.. deleted ..] >About ten years ago, I experimented by building a special purpose shell to >collect this information. It was useful for collecting data for experiments. >But in practice it is not very good, since it is so easily bypassed by those >not wishing to be audited (they just start up a different shell). The original post noted this, offering the "sec" shell as a means to protecting the users account. That is if they changed there shell the security was upto them. If deciding to try shell logging, one would expect to incorporate shell logging into each system shell (actually interface a shell logging module to each) then state that using non-system shells is a violation of system policy. The you have the task of detecting policy violations. This can be quite a difficult task, due to have to cope with both terminal & network logins (controlling terminal). A naive approach would be some basic monitoring the foreground process group (TPGID), we would expect the value of TPGID to be that of the "login shell" pid (most of the time). If we detect the value of TPGID alternating between values that isn't the PID of the login shell we know that the user is using another shell. Additionally, you have to be aware of the terminal mode (ie. cooked, raw, and cbreak). But as stated, the lower you audit the harder it is to bypass. Using Suns Solaris 2.3 auditing system, Basic Security Module (BSM) it is easier to get the shell comand and arguments than trying to monitor the shell. However, it is still possible for a clever system penetrator to avoid process auditing. >Teresa Lunt [ original article deleted ] -- +---------------------+--------------------------------------------------+ | ____ ___ | Justin Lister ruf@cs.uow.edu.au | | | \\ /\ __\ | Center for Computer Security Research | | | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-835-114 | | | _ \\ /| _/ | University of Wollongong fax: 61-42-832-807 | | |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... | | | Disclaimer: dreaming is at own risk | +---------------------+--------------------------------------------------+