From owner-freebsd-security Thu May 31 15:36:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 1C38D37B424 for ; Thu, 31 May 2001 15:36:08 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GE81FI00.D8K; Thu, 31 May 2001 15:35:42 -0700 Message-ID: <3B16C755.ACF5696@globalstar.com> Date: Thu, 31 May 2001 15:36:05 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Igor Roshchin Cc: security@FreeBSD.ORG Subject: Re: accounting doesn't record all programs ? References: <200105312210.SAA22134@giganda.komkon.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Igor Roshchin wrote: [snip] > So, my questions are: > 1. Can one run a process without it being logged in the accounting log > while accounting is enabled ? RTFM, acct(2), DESCRIPTION The acct() call enables or disables the collection of system accounting records. If the argument file is a nil pointer, accounting is disabled. If file is an existing pathname (null-terminated), record collection is enabled and for every process initiated which terminates under normal conditions an accounting record is appended to file. Abnormal conditions of termination are reboots or other fatal system problems. Records for processes which never terminate can not be produced by acct(). > 2. (or 1a) Can a process name be somehow masked > (I know that using a softlink wouldn't help, the actual file > is logged) ? Hard link. > 3. (or 1b) Hence, can the accounting logs be trusted as an accurate > list of programs ran by the user ? > (assuming the logs are not altered). The acct(2) mechanism is meant for accounting purposes, not security ones. It is usually possible to mask the name of a command executed. However, a system may be configured to make it difficult if not impossible, e.g. if all places mortal users have write access is noexec, I cannot see how they could do it. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message