From owner-freebsd-security Thu Jul 1 5:29:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from zip.com.au (zipper.zip.com.au [203.12.97.1]) by hub.freebsd.org (Postfix) with ESMTP id 1C7BE15363 for ; Thu, 1 Jul 1999 05:29:26 -0700 (PDT) (envelope-from ncb@zip.com.au) Received: from localhost (ncb@localhost) by zip.com.au (8.9.1/8.9.1) with ESMTP id WAA09184; Thu, 1 Jul 1999 22:29:20 +1000 Date: Thu, 1 Jul 1999 22:29:19 +1000 (EST) From: Nicholas Brawn To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: how to keep track of root users? In-Reply-To: <199906302058.NAA00679@passer.osg.gov.bc.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 30 Jun 1999, Cy Schubert wrote: > Finally, process accounting can provide a limited logging > capability. It appears that the process accounting in FreeBSD is a remnant of a bygone era, where all cpu time was costly and had to be accounted for. From a security perspective, process accounting would need to: - log uid, gid, and euid of the user calling the process. - log the process name, executable name, and path to the executable. - log arguments to the process being executed. - log date and amount of time the process took to complete. - log the tty the user who called the process executed it from. That being said, who wants to write it? ;) Nick > > Of course all of the above logging can be defeated by anyone with > root wishing to hide their tracks. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca > ITSD Cy.Schubert@gems8.gov.bc.ca > Province of BC > "e**(i*pi)+1=0" > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message