From owner-freebsd-hackers  Mon Feb 10 18:53:48 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 320BF37B401; Mon, 10 Feb 2003 18:53:46 -0800 (PST)
Received: from milla.ask33.net (milla.ask33.net [217.197.166.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 64B2543F75; Mon, 10 Feb 2003 18:53:45 -0800 (PST)
	(envelope-from nick@milla.ask33.net)
Received: by milla.ask33.net (Postfix, from userid 1001)
	id 89D9F3ABB2D; Tue, 11 Feb 2003 03:53:47 +0100 (CET)
Date: Tue, 11 Feb 2003 03:53:47 +0100
From: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To: Julian Elischer <julian@elischer.org>
Cc: freebsd-hackers@freebsd.org, des@freebsd.org
Subject: Re: Some "security" questions.
Message-ID: <20030211025347.GI392@garage.freebsd.pl>
References: <Pine.BSF.4.21.0302101752500.49102-100000@InterJet.elischer.org> <20030211024028.GH392@garage.freebsd.pl>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="gTY1JhLGodeuSBqf"
Content-Disposition: inline
In-Reply-To: <20030211024028.GH392@garage.freebsd.pl>
X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc
X-OS: FreeBSD 4.7-STABLE i386
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


--gTY1JhLGodeuSBqf
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Feb 11, 2003 at 03:40:28AM +0100, Pawel Jakub Dawidek wrote:
+> +> Anyoone have any modules to REALLY log execs?
+>=20
+> Yes, we got:
+>=20
+> 	http://cerber.sourceforge.net
+>=20
+> If You want only execve() logging You can try rexec.

Or wait on cerb-ng first release. There is defined such policy
and it looks like:

if (syscall =3D=3D SYS_execve) {
	log(LOG_INFO, "CerbNG:%s(%s): Running %s(%s) (args: %S) "
	    "[pid=3D%u, ruid=3D%u, euid=3D%u, groups=3D%U].",
	    pname, pfname, arg[0], realpath(arg[0]), arg[1],
	    pid, ruid, euid, groups);
}

Output in logs is something like:

CerbNG:passwd(/usr/bin/passwd): Running pwd_mkdb(/usr/sbin/pwd_mkdb) (args:=
 [ "pwd_mkdb", "-p", "-d", "/etc", "-u", "jules" ]) [pid=3D666, ruid=3D1000=
, euid=3D0, groups=3D[ 1000, 1000, 0 ]].

--=20
Pawel Jakub Dawidek
UNIX Systems Administrator
http://garage.freebsd.pl
Am I Evil? Yes, I Am.

--gTY1JhLGodeuSBqf
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPkhluz/PhmMH/Mf1AQFAGgP/ZilbO7auFu7jNeqe++eS21z08dtn+ahZ
LES69vxN7xxZMiBTcu/df8p0Ey3gFQ16zlmZWciI044vDXCAbIVbct3SKIjZxc7s
AgnD7XrTzEpqoymrtfKo8CjoweIl8y2m+8K3SVK08C6P90/s8Q+FlvJ8Q5ZreVI3
uIl0T4Oial8=
=V7T+
-----END PGP SIGNATURE-----

--gTY1JhLGodeuSBqf--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message