On Wednesday 28 May 2003 09:34, Ulrich Roth wrote:
Hi Ricardo,
Hi, I am having a little problem I need to solve quickly. I have one intruder (long to explain now) which edited the passwd file and set his user with 0 id (as root). I don't want to block him. I want to log all his actions, moves, commands, etc. How can I do that?
If he didn't disable it or uses another shell, you can have a look at his ~/.bash_history.
I believe I've seen a patch for bash somewhere to send all commands to syslogd. If you can't find it, it should not be difficult to find the place in the sources where the logging to '~/.bash_history' is done and add a few lines of code to log it to a syslog facility. You can send all syslog messages to a remote host, which you should lock down very tight. As someone else noted, remove all shells except this patched version of bash. Regards, Cees.