Date: Tue, 11 Feb 2003 03:53:47 +0100 From: Pawel Jakub Dawidek <nick@garage.freebsd.pl> To: Julian Elischer <julian@elischer.org> Cc: freebsd-hackers@freebsd.org, des@freebsd.org Subject: Re: Some "security" questions. Message-ID: <20030211025347.GI392@garage.freebsd.pl> In-Reply-To: <20030211024028.GH392@garage.freebsd.pl> References: <Pine.BSF.4.21.0302101752500.49102-100000@InterJet.elischer.org> <20030211024028.GH392@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--gTY1JhLGodeuSBqf Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 11, 2003 at 03:40:28AM +0100, Pawel Jakub Dawidek wrote: +> +> Anyoone have any modules to REALLY log execs? +>=20 +> Yes, we got: +>=20 +> http://cerber.sourceforge.net +>=20 +> If You want only execve() logging You can try rexec. Or wait on cerb-ng first release. There is defined such policy and it looks like: if (syscall =3D=3D SYS_execve) { log(LOG_INFO, "CerbNG:%s(%s): Running %s(%s) (args: %S) " "[pid=3D%u, ruid=3D%u, euid=3D%u, groups=3D%U].", pname, pfname, arg[0], realpath(arg[0]), arg[1], pid, ruid, euid, groups); } Output in logs is something like: CerbNG:passwd(/usr/bin/passwd): Running pwd_mkdb(/usr/sbin/pwd_mkdb) (args:= [ "pwd_mkdb", "-p", "-d", "/etc", "-u", "jules" ]) [pid=3D666, ruid=3D1000= , euid=3D0, groups=3D[ 1000, 1000, 0 ]]. --=20 Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. --gTY1JhLGodeuSBqf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPkhluz/PhmMH/Mf1AQFAGgP/ZilbO7auFu7jNeqe++eS21z08dtn+ahZ LES69vxN7xxZMiBTcu/df8p0Ey3gFQ16zlmZWciI044vDXCAbIVbct3SKIjZxc7s AgnD7XrTzEpqoymrtfKo8CjoweIl8y2m+8K3SVK08C6P90/s8Q+FlvJ8Q5ZreVI3 uIl0T4Oial8= =V7T+ -----END PGP SIGNATURE----- --gTY1JhLGodeuSBqf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211025347.GI392>