Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 2 Jul 1999 00:13:56 +1000 (EST)
From:      Darren Reed <avalon@coombs.anu.edu.au>
To:        ben@nl.euro.net (Ben Gras)
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: how to keep track of root users?
Message-ID:  <199907011413.AAA02422@cheops.anu.edu.au>
In-Reply-To: <199907011316.PAA22709@support.euronet.nl> from "Ben Gras" at Jul 1, 99 03:16:11 pm

next in thread | previous in thread | raw e-mail | index | archive | help
> It appears that the process accounting in FreeBSD is a remnant of a bygone
> era, where all cpu time was costly and had to be accounted for. From a
> security perspective, process accounting would need to:
> - log uid, gid, and euid of the user calling the process.
> - log the process name, executable name, and path to the executable.
> - log arguments to the process being executed.
> - log date and amount of time the process took to complete.
> - log the tty the user who called the process executed it from.

Process accounting provides information for what it was intended to do.
Attempting to use that information for different purposes is going to
lead you down the garden path.  Process accounting is still useful, in
its current form, so `fixing' it is not the right thing to do.

What's required here is auditting.  I *think* the POSIX security module
being worked on at present is more in line with what you're aiming to
achieve.  If you've got access to Solaris, checkout the man pages for
auditd, bsm, etc.

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907011413.AAA02422>