From owner-freebsd-security Sun Jan 16 15:14:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from intranova.net (blacklisted.intranova.net [209.3.31.70]) by hub.freebsd.org (Postfix) with SMTP id 12F7614EF7 for ; Sun, 16 Jan 2000 15:14:18 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 9269 invoked from network); 16 Jan 2000 18:16:22 -0000 Received: from hydrant.intranova.net (user23902@209.201.95.10) by blacklisted.intranova.net with SMTP; 16 Jan 2000 18:16:22 -0000 Date: Sun, 16 Jan 2000 18:11:33 -0500 (EST) From: Omachonu Ogali To: Will Andrews Cc: freebsd-security@FreeBSD.ORG Subject: RE: Parent Logging Patch for sh(1) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It becomes helpful when you're backtracking the origin of an intrusion. I'm logging the parent PID and name that executed 'sh' and there's a second version that adds a deny list. Omachonu Ogali Intranova Networking Group On Sun, 16 Jan 2000, Will Andrews wrote: > On 16-Jan-00 Omachonu Ogali wrote: > > I thought it would benefit those who are security minded. Why shouldn't I > > have posted it? > > How does it help to log the PPID + name of the file? What prompted you to do > this sort of thing? > > -- > Will Andrews > GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- > ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ > G++>+++ e->++++ h! r-->+++ y? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message