Tuesday, January 06, 2004

Options for Security Shell History in FreeBSD

I was looking for a tool to secure shell histories in FreeBSD. Ideally I was looking for the FreeBSD equivalent of Snare, which can record user activities on Linux, Windows, and Solaris. I learned today Snare is the foundation for the Forensix Project. The Honeynet Project links to several tools, including the Sebek LKM. Ryan Barnett of honeypots.sf.net wrote an extensive guide (.pdf) to Snare usage.

Unfortunately I couldn't find exactly that, but I did locate this excellent article at DefCon1.org. The author explains how to use FreeBSD's chflags utility to prevent users from deleting the Bash .history file. The author also explains how to set up process accounting via acct and mentions briefly how to use the sa and lastcomm utilities. His recommendations worked on one of my FreeBSD 4.9 REL boxes as described.

No comments: