From owner-freebsd-security Thu Jul 1 7:13:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id D84F31524D for ; Thu, 1 Jul 1999 07:13:48 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id AAA02422; Fri, 2 Jul 1999 00:13:57 +1000 (EST) From: Darren Reed Message-Id: <199907011413.AAA02422@cheops.anu.edu.au> Subject: Re: how to keep track of root users? To: ben@nl.euro.net (Ben Gras) Date: Fri, 2 Jul 1999 00:13:56 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199907011316.PAA22709@support.euronet.nl> from "Ben Gras" at Jul 1, 99 03:16:11 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It appears that the process accounting in FreeBSD is a remnant of a bygone > era, where all cpu time was costly and had to be accounted for. From a > security perspective, process accounting would need to: > - log uid, gid, and euid of the user calling the process. > - log the process name, executable name, and path to the executable. > - log arguments to the process being executed. > - log date and amount of time the process took to complete. > - log the tty the user who called the process executed it from. Process accounting provides information for what it was intended to do. Attempting to use that information for different purposes is going to lead you down the garden path. Process accounting is still useful, in its current form, so `fixing' it is not the right thing to do. What's required here is auditting. I *think* the POSIX security module being worked on at present is more in line with what you're aiming to achieve. If you've got access to Solaris, checkout the man pages for auditd, bsm, etc. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message