From owner-freebsd-questions Thu Aug 9 16:35:39 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-27-141-144.mmcable.com [24.27.141.144]) by hub.freebsd.org (Postfix) with SMTP id 1B7A437B401 for ; Thu, 9 Aug 2001 16:35:35 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 86020 invoked by uid 100); 9 Aug 2001 23:35:33 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15219.7749.270865.991829@guru.mired.org> Date: Thu, 9 Aug 2001 18:35:33 -0500 To: Michael Conlen Cc: questions@freebsd.org Subject: Re: packaging up a kernel hack In-Reply-To: <52533197@toto.iv> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Michael Conlen types: > Maybe it's because it's late and I've been hacking, > but I haven't seen a good doc on what to do when you > have a neat kernel hack you want to share with the > rest for the world. This hack *needs* an option. Most > people don't need it, and it will give you BIG log > files, but I haven't figure out how to create options > yet. Any doc pointers? I've seen it on the FreeBSD site, but it looks like you've added something that mostly already exists. > Aug 9 03:10:49 eno /kernel: exec: uid:0 pid:353 -> > pid->354 /usr/local/etc/rc.d/apache.sh start > > Now, if you were remotely logging and someone broke in > to your box, this would be kinda handy me thinks. Yes, but not as handy as the lastcomm command, which is already on the system. You're saving a slightly different set of information, and I could see extending the accounting stuff to include some of that information - particularly the pid and ppid. The full path name and argument list are both more useful and more problematical. On the other hand, some of the stuff that accton saves that you don't are also well worth having, in particular the terminal it started from and the time the process exited. It also provides a much cleaner interface than a kernel compile option to start saving data, so that just leaving it there all the time makes sense. So if I notice someone has broken in, I just turn it on and it starts logging their activities. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message