Date: Thu, 31 May 2001 18:10:02 -0400 (EDT) From: Igor Roshchin <str@giganda.komkon.org> To: security@freebsd.org Subject: accounting doesn't record all programs ? Message-ID: <200105312210.SAA22134@giganda.komkon.org>
next in thread | raw e-mail | index | archive | help
I've just observed the following situation: I saw a user running ee (1) (it was in the ps table, and was shown by w(1).) However, user's connection was interrupted, so he didn't exit from that process, and the process was left "running". When I ran "lastcomm" (I have accouting enabled), it didn't show "ee". Only when I killed the process, it was reflected in the accounting log (with all extra time accumulated). So, the program ran by a user is logged in the accounting logs only upon completion. I don't worry too much about the actual accounting (although it might be important for those who are using/selling a paid per access time shell accounts). What I worry is that there might be some ways that a user can run a process, make it an orphan, and leave it there until a reboot, and then it might not ever be logged into the accounting log. (I might be wrong, and there might be no such scenarion, because it will be recorded anyway upon shutdown command). So, my questions are: 1. Can one run a process without it being logged in the accounting log while accounting is enabled ? 2. (or 1a) Can a process name be somehow masked (I know that using a softlink wouldn't help, the actual file is logged) ? 3. (or 1b) Hence, can the accounting logs be trusted as an accurate list of programs ran by the user ? (assuming the logs are not altered). Thanks, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105312210.SAA22134>