• Subject: STRQSH and auditing (was "who ran the ADDTCPHTE command")
  • From: Evan Harris <spanner@xxxxxxxxxx>
  • Date: Thu, 07 Jun 2001 21:43:59 +1200

Since the subject of auditing has been bought up I have noticed what 
appears to be a bit of a hole (at least to me).

Find a user that has LMTCPB *NO, security auditing is enabled and the user 
is one of the audited profiles. The user is set to have commands saved to 
the audit journal.

STRQSH under that user and do a few things, say, "rm somedir" (is that the 
right command ?) or some other equally innocuous stuff.

Where in the audit journal do these commands turn up ?

Seems like commands issued under QSH don't get logged or I'm looking in the 
wrong place.

Anyone else come across this or located the where the QSH commands might 
live in the audit journal ? Or discovered what has to be done to get them 
there ?

The idea of a someone being able choose a different "wavelength" for their 
commands bothers more than a little bit if this turns out to be correct....

regards
Evan Harris

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.