Logging of client commands, possible?

Dan Kaminsky dan at doxpara.com
Fri Mar 15 11:03:18 EST 2002


> ... and it will still be useless against anyone with 1/4 of a clue, who
> can upload a script or binary and execute that.
>
> The place for this is a dedicated tty snooper or, better yet, real system
> audit logs.

AAAAAAAAAARGH.

Just because somebody can lie doesn't mean I'd prefer an EKG to a
confession!  This is an *adjunct* to real system audit logs, which really,
really suck when it comes to providing a useful history.  You think people
need hackers for their servers to break?  There's an old refrain about
malice, stupidity, and some swamp land in florida you might like :-)

Damnit, Damien, which of these do you wanna debug to figure out who broke
your production server?

[root at localhost libdivxdecore-0.4.7]# ./configure
loading cache ./config.cache
checking for a BSD compatible install... (cached) /usr/bin/install -c
checking whether build environment is sane... yes
checking whether make sets ${MAKE}... (cached) yes
checking for working aclocal... found
checking for working autoconf... found

or

+ echo -n 'checking whether the C++ compiler (c++  ) works... '
checking whether the C++ compiler (c++  ) works... + echo 'configure:1755:
checking whether the C++ compiler (c++  ) works'
+ ac_ext=C
+ ac_cpp=$CXXCPP $CPPFLAGS
+ ac_compile=${CXX-g++} -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext 1>&5
+ ac_link=${CXX-g++} -o conftest${ac_exeext} $CXXFLAGS $CPPFLAGS $LDFLAGS
conftest.$ac_ext $LIBS 1>&5
+ cross_compiling=no
+ cat
+ eval echo configure:1771: '"${CXX-g++}' -o 'conftest${ac_exeext}'
'$CXXFLAGS' '$CPPFLAGS' '$LDFLAGS' 'conftest.$ac_ext' '$LIBS' '1>&5"'

or even

rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
stat64(".", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
stat64("/usr/local/sbin/sleep", 0xbffff700) = -1 ENOENT (No such file or
directory)
stat64("/usr/local/bin/sleep", 0xbffff700) = -1 ENOENT (No such file or
directory)
stat64("/sbin/sleep", 0xbffff700)       = -1 ENOENT (No such file or
directory)
stat64("/bin/sleep", {st_mode=S_IFREG|0755, st_size=11612, ...}) = 0
stat64("/bin/sleep", {st_mode=S_IFREG|0755, st_size=11612, ...}) = 0
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
_llseek(255, -7665, [22525], SEEK_CUR)  = 0
fork()                                  = 19523
[pid 19509] rt_sigprocmask(SIG_SETMASK, [],  <unfinished ...>
[pid 19523] getpid( <unfinished ...>
[pid 19509] <... rt_sigprocmask resumed> NULL, 8) = 0
[pid 19523] <... getpid resumed> )      = 19523
[pid 19509] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[pid 19509] rt_sigprocmask(SIG_BLOCK, [CHLD],  <unfinished ...>
[pid 19523] close(255 <unfinished ...>

--Dan





More information about the openssh-unix-dev mailing list