On Tue, Feb 11, 2003 at 03:40:28AM +0100, Pawel Jakub Dawidek wrote: +> +> Anyoone have any modules to REALLY log execs? +> +> Yes, we got: +> +> http://cerber.sourceforge.net +> +> If You want only execve() logging You can try rexec.
Or wait on cerb-ng first release. There is defined such policy
and it looks like:
if (syscall == SYS_execve) {
log(LOG_INFO, "CerbNG:%s(%s): Running %s(%s) (args: %S) "
"[pid=%u, ruid=%u, euid=%u, groups=%U].",
pname, pfname, arg[0], realpath(arg[0]), arg[1],
pid, ruid, euid, groups);
}
Output in logs is something like:
CerbNG:passwd(/usr/bin/passwd): Running pwd_mkdb(/usr/sbin/pwd_mkdb) (args: [
"pwd_mkdb", "-p", "-d", "/etc", "-u", "jules" ]) [pid=666, ruid=1000, euid=0, groups=[
1000, 1000, 0 ]].
--
Pawel Jakub Dawidek
UNIX Systems Administrator
http://garage.freebsd.pl
Am I Evil? Yes, I Am.
msg39875/pgp00000.pgp
Description: PGP signature
