Date: Tue, 7 May 1996 14:00:30 -0600 From: Sean Kelly <kelly@fsl.noaa.gov> To: brian@mail.vividnet.com Cc: freebsd-security@freebsd.org Subject: Re: Weird system security output Message-ID: <9605072000.AA12542@fslg8.fsl.noaa.gov> In-Reply-To: <Pine.BSF.3.91.960504115115.9617A-100000@taurus.vividnet.com> (message from Brian Wang on Sat, 4 May 1996 12:07:21 -0700 (PDT))
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Brian" == Brian Wang <brian@mail.vividnet.com> writes:
Brian> Somehow, the date stamp gets altered for no reason...a
Brian> compromised system? Again, checking the binary file from
Brian> the backup/cdrom yielded nothing.
Neat. It's never happened to me, but I don't have that many users and
I know 'em all pretty well (I think).
Try turning on process accounting. In /etc/sysconfig, change the line
accounting=NO
to
accounting=YES
I'm don't think the warning in the file that says it doesn't work is
warranted. I've run with accounting on since 2.0 and have had no
unexplained problems or spontaneous reboots.
Then, reboot. Or, better yet, just start accounting immediately:
accton /var/account/acct
The next time your daily security check shows a file time difference,
check the change time of the file in question and see if you can match
it up with a specific command run by a specific user by running
lastcomm.
--
Sean Kelly
NOAA Forecast Systems Laboratory kelly@fsl.noaa.gov
Boulder Colorado USA http://www-sdd.fsl.noaa.gov/~kelly/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9605072000.AA12542>