From owner-freebsd-security Tue May 7 13:00:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA29755 for security-outgoing; Tue, 7 May 1996 13:00:36 -0700 (PDT) Received: from fslg8.fsl.noaa.gov (fslg8.fsl.noaa.gov [137.75.131.171]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id NAA29745 for ; Tue, 7 May 1996 13:00:30 -0700 (PDT) Received: by fslg8.fsl.noaa.gov (5.57/Ultrix3.0-C) id AA12542; Tue, 7 May 96 20:00:29 GMT Message-Id: <9605072000.AA12542@fslg8.fsl.noaa.gov> Received: by emu.fsl.noaa.gov (1.40.112.3/16.2) id AA241039230; Tue, 7 May 1996 14:00:30 -0600 Date: Tue, 7 May 1996 14:00:30 -0600 From: Sean Kelly To: brian@mail.vividnet.com Cc: freebsd-security@freebsd.org In-Reply-To: (message from Brian Wang on Sat, 4 May 1996 12:07:21 -0700 (PDT)) Subject: Re: Weird system security output Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >>>>> "Brian" == Brian Wang writes: Brian> Somehow, the date stamp gets altered for no reason...a Brian> compromised system? Again, checking the binary file from Brian> the backup/cdrom yielded nothing. Neat. It's never happened to me, but I don't have that many users and I know 'em all pretty well (I think). Try turning on process accounting. In /etc/sysconfig, change the line accounting=NO to accounting=YES I'm don't think the warning in the file that says it doesn't work is warranted. I've run with accounting on since 2.0 and have had no unexplained problems or spontaneous reboots. Then, reboot. Or, better yet, just start accounting immediately: accton /var/account/acct The next time your daily security check shows a file time difference, check the change time of the file in question and see if you can match it up with a specific command run by a specific user by running lastcomm. -- Sean Kelly NOAA Forecast Systems Laboratory kelly@fsl.noaa.gov Boulder Colorado USA http://www-sdd.fsl.noaa.gov/~kelly/