Date: Thu, 31 May 2001 15:36:05 -0700 From: "Crist Clark" <crist.clark@globalstar.com> To: Igor Roshchin <str@giganda.komkon.org> Cc: security@FreeBSD.ORG Subject: Re: accounting doesn't record all programs ? Message-ID: <3B16C755.ACF5696@globalstar.com> References: <200105312210.SAA22134@giganda.komkon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Igor Roshchin wrote:
[snip]
> So, my questions are:
> 1. Can one run a process without it being logged in the accounting log
> while accounting is enabled ?
RTFM, acct(2),
DESCRIPTION
The acct() call enables or disables the collection of system accounting
records. If the argument file is a nil pointer, accounting is disabled.
If file is an existing pathname (null-terminated), record collection is
enabled and for every process initiated which terminates under normal
conditions an accounting record is appended to file. Abnormal conditions
of termination are reboots or other fatal system problems. Records for
processes which never terminate can not be produced by acct().
> 2. (or 1a) Can a process name be somehow masked
> (I know that using a softlink wouldn't help, the actual file
> is logged) ?
Hard link.
> 3. (or 1b) Hence, can the accounting logs be trusted as an accurate
> list of programs ran by the user ?
> (assuming the logs are not altered).
The acct(2) mechanism is meant for accounting purposes, not security
ones. It is usually possible to mask the name of a command executed.
However, a system may be configured to make it difficult if not
impossible, e.g. if all places mortal users have write access is noexec,
I cannot see how they could do it.
--
Crist J. Clark Network Security Engineer
crist.clark@globalstar.com Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above. If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
e-mail in error, please contact postmaster@globalstar.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B16C755.ACF5696>