Thanks. I have enabled system accounting.
acct(5) seems to be limited by the fact that it is triggered on process
exit, doesn't contain the process ID or parent process ID and can only
store 10 characters for the command name.
ktrace could work but it's far too slow without limiting syscalls
recorded to a specific subset.
Is there any interest in modifying ktrace to allow for specifying
individual names of syscalls to trace?
e.g. ktrace -t c -u execve,sendmsg
On Fri, Nov 13, 2020 at 07:57:54AM -0700, Theo de Raadt wrote:
>man accton
>
>James <james@jmp-e.com> wrote:
>
>> Recently a machine running OpenBSD 6.8 had its configuration changed and I
>> believe it to have been subject to a malicious attack.
>>
>> This change is completely unexplainable, compromised security, and would
>> have required root access.
>>
>> The log files reveal nothing out of the ordinary except for wtmp
>> indicating 0 users are logged in:
>>
>> -bash-5.0# who
>> -bash-5.0# w
>> 1:49PM up 2:21, 0 users, load averages: 1.35, 1.38, 1.50
>> USER TTY FROM LOGIN@ IDLE WHAT
>> -bash-5.0#
>>
>>
>> I would like to be able to log every exec syscall with the details of the
>> current timestamp, calling PID, program path, arguments, and new PID.
>>
>> Ideally this would be implemented in the kernel. Are there any
>> existing solutions?
>>
>> Thanks,
>>
>
No comments:
Post a Comment