From owner-freebsd-security  Thu May 31 15:10:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66])
	by hub.freebsd.org (Postfix) with ESMTP id 762CB37B423
	for <security@freebsd.org>; Thu, 31 May 2001 15:10:11 -0700 (PDT)
	(envelope-from str@giganda.komkon.org)
Received: (from str@localhost)
	by giganda.komkon.org (8.9.3/8.9.3) id SAA22134
	for security@freebsd.org; Thu, 31 May 2001 18:10:02 -0400 (EDT)
	(envelope-from str)
Date: Thu, 31 May 2001 18:10:02 -0400 (EDT)
From: Igor Roshchin <str@giganda.komkon.org>
Message-Id: <200105312210.SAA22134@giganda.komkon.org>
To: security@freebsd.org
Subject: accounting doesn't record all programs ?
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


I've just observed the following situation:
I saw a user running ee (1) (it was in the ps table, and was shown
by w(1).)
However, user's connection was interrupted, 
so he didn't exit from that process,
and the process was left "running".

When I ran "lastcomm" (I have accouting enabled), it didn't show "ee".

Only when I killed the process, it was reflected in the accounting
log (with all extra time accumulated).
So, the program ran by a user is logged in the accounting logs only
upon completion.

I don't worry too much about the actual accounting
(although it might be important for those who are using/selling
a paid per access time shell accounts).
What I worry is that there might be some ways that a user can run a process,
make it an orphan, and leave it there until a reboot, and then
it might not ever be logged into the accounting log.
(I might be wrong, and there might be no such scenarion, because
it will be recorded anyway upon shutdown command).

So, my questions are:
1. Can one run a process without it being logged in the accounting log
while accounting is enabled ?
2. (or 1a) Can a process name be somehow masked 
(I know that using a softlink wouldn't help, the actual file
is logged)  ?
3. (or 1b) Hence, can the accounting logs be trusted as an accurate
list  of programs ran by the user ?
(assuming the logs are not altered).


Thanks,

Igor





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message