Date: Fri, 2 Jul 1999 00:13:56 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: ben@nl.euro.net (Ben Gras) Cc: freebsd-security@FreeBSD.ORG Subject: Re: how to keep track of root users? Message-ID: <199907011413.AAA02422@cheops.anu.edu.au> In-Reply-To: <199907011316.PAA22709@support.euronet.nl> from "Ben Gras" at Jul 1, 99 03:16:11 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> It appears that the process accounting in FreeBSD is a remnant of a bygone > era, where all cpu time was costly and had to be accounted for. From a > security perspective, process accounting would need to: > - log uid, gid, and euid of the user calling the process. > - log the process name, executable name, and path to the executable. > - log arguments to the process being executed. > - log date and amount of time the process took to complete. > - log the tty the user who called the process executed it from. Process accounting provides information for what it was intended to do. Attempting to use that information for different purposes is going to lead you down the garden path. Process accounting is still useful, in its current form, so `fixing' it is not the right thing to do. What's required here is auditting. I *think* the POSIX security module being worked on at present is more in line with what you're aiming to achieve. If you've got access to Solaris, checkout the man pages for auditd, bsm, etc. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907011413.AAA02422>