Date: Tue, 7 May 1996 14:00:30 -0600 From: Sean Kelly <kelly@fsl.noaa.gov> To: brian@mail.vividnet.com Cc: freebsd-security@freebsd.org Subject: Re: Weird system security output Message-ID: <9605072000.AA12542@fslg8.fsl.noaa.gov> In-Reply-To: <Pine.BSF.3.91.960504115115.9617A-100000@taurus.vividnet.com> (message from Brian Wang on Sat, 4 May 1996 12:07:21 -0700 (PDT))
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Brian" == Brian Wang <brian@mail.vividnet.com> writes: Brian> Somehow, the date stamp gets altered for no reason...a Brian> compromised system? Again, checking the binary file from Brian> the backup/cdrom yielded nothing. Neat. It's never happened to me, but I don't have that many users and I know 'em all pretty well (I think). Try turning on process accounting. In /etc/sysconfig, change the line accounting=NO to accounting=YES I'm don't think the warning in the file that says it doesn't work is warranted. I've run with accounting on since 2.0 and have had no unexplained problems or spontaneous reboots. Then, reboot. Or, better yet, just start accounting immediately: accton /var/account/acct The next time your daily security check shows a file time difference, check the change time of the file in question and see if you can match it up with a specific command run by a specific user by running lastcomm. -- Sean Kelly NOAA Forecast Systems Laboratory kelly@fsl.noaa.gov Boulder Colorado USA http://www-sdd.fsl.noaa.gov/~kelly/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9605072000.AA12542>