From owner-freebsd-security  Thu May 31 15:36:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142])
	by hub.freebsd.org (Postfix) with ESMTP id 1C38D37B424
	for <security@FreeBSD.ORG>; Thu, 31 May 2001 15:36:08 -0700 (PDT)
	(envelope-from crist.clark@globalstar.com)
Received: from globalstar.com ([207.88.153.184]) by
          nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with
          ESMTP id GE81FI00.D8K; Thu, 31 May 2001 15:35:42 -0700 
Message-ID: <3B16C755.ACF5696@globalstar.com>
Date: Thu, 31 May 2001 15:36:05 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
Organization: Globalstar LP
X-Mailer: Mozilla 4.77 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Igor Roshchin <str@giganda.komkon.org>
Cc: security@FreeBSD.ORG
Subject: Re: accounting doesn't record all programs ?
References: <200105312210.SAA22134@giganda.komkon.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Igor Roshchin wrote:

[snip]

> So, my questions are:
> 1. Can one run a process without it being logged in the accounting log
> while accounting is enabled ?

RTFM, acct(2),

  DESCRIPTION
       The acct() call enables or disables the collection of system accounting
       records.  If the argument file is a nil pointer, accounting is disabled.
       If file is an existing pathname (null-terminated), record collection is
       enabled and for every process initiated which terminates under normal
       conditions an accounting record is appended to file.  Abnormal conditions
       of termination are reboots or other fatal system problems.  Records for
       processes which never terminate can not be produced by acct().

> 2. (or 1a) Can a process name be somehow masked
> (I know that using a softlink wouldn't help, the actual file
> is logged)  ?

Hard link.

> 3. (or 1b) Hence, can the accounting logs be trusted as an accurate
> list  of programs ran by the user ?
> (assuming the logs are not altered).

The acct(2) mechanism is meant for accounting purposes, not security
ones. It is usually possible to mask the name of a command executed.
However, a system may be configured to make it difficult if not 
impossible, e.g. if all places mortal users have write access is noexec,
I cannot see how they could do it.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message