Date: Tue, 11 Feb 2003 03:53:47 +0100 From: Pawel Jakub Dawidek <nick@garage.freebsd.pl> To: Julian Elischer <julian@elischer.org> Cc: freebsd-hackers@freebsd.org, des@freebsd.org Subject: Re: Some "security" questions. Message-ID: <20030211025347.GI392@garage.freebsd.pl> In-Reply-To: <20030211024028.GH392@garage.freebsd.pl> References: <Pine.BSF.4.21.0302101752500.49102-100000@InterJet.elischer.org> <20030211024028.GH392@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Tue, Feb 11, 2003 at 03:40:28AM +0100, Pawel Jakub Dawidek wrote: +> +> Anyoone have any modules to REALLY log execs? +> +> Yes, we got: +> +> http://cerber.sourceforge.net +> +> If You want only execve() logging You can try rexec. Or wait on cerb-ng first release. There is defined such policy and it looks like: if (syscall == SYS_execve) { log(LOG_INFO, "CerbNG:%s(%s): Running %s(%s) (args: %S) " "[pid=%u, ruid=%u, euid=%u, groups=%U].", pname, pfname, arg[0], realpath(arg[0]), arg[1], pid, ruid, euid, groups); } Output in logs is something like: CerbNG:passwd(/usr/bin/passwd): Running pwd_mkdb(/usr/sbin/pwd_mkdb) (args: [ "pwd_mkdb", "-p", "-d", "/etc", "-u", "jules" ]) [pid=666, ruid=1000, euid=0, groups=[ 1000, 1000, 0 ]]. -- Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPkhluz/PhmMH/Mf1AQFAGgP/ZilbO7auFu7jNeqe++eS21z08dtn+ahZ LES69vxN7xxZMiBTcu/df8p0Ey3gFQ16zlmZWciI044vDXCAbIVbct3SKIjZxc7s AgnD7XrTzEpqoymrtfKo8CjoweIl8y2m+8K3SVK08C6P90/s8Q+FlvJ8Q5ZreVI3 uIl0T4Oial8= =V7T+ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211025347.GI392>