Re: lastcomm

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: J. Eric Townsend: "keystroke monitoring ( was Re: lastcomm )"
• Previous message: Richard A Childers: "keystroke monitoring ( was Re: lastcomm )"
• Maybe in reply to: *Hobbit*: "lastcomm"

Please take me off the subscription.
Thanks.

Gary Brefini
The MITRE Corp



Pascal was discussing command-line auditing...

this is almost keystroke monitoring; if you're going to go to that length,
y'might as well shovel everyone through a shell shim that sets up a pair
of PTYs and logs all the characters that the user stuffs through it.

There have been times, though, when I've REALLY wanted more information than
what "lastcomm" gives us [if it gives us anything at all].

I remember an occasion when I wound up using that old TIOCSTI program to bang
"history > /tmp/xxx" into an intruder's [?] input buffer, just so I could see
what he'd been doing all that time.  It worked, and then someone pointed out
that the machine in question had "gcore", which wouldn't have clued the guy in
that I was on to him...

_H*

• Next message: J. Eric Townsend: "keystroke monitoring ( was Re: lastcomm )"
• Previous message: Richard A Childers: "keystroke monitoring ( was Re: lastcomm )"
• Maybe in reply to: *Hobbit*: "lastcomm"