Process accounting and lastcomm(1) can detect execve(2) violations

of pinsyscall(2) policy.  Report such findings in daily mail like
other security violations.  User has to turn on accounting=YES in
rc.conf.local to utilize this feature.
OK deraadt@

diff --git a/etc/daily b/etc/daily
index 96d6ac4..5d052e3 100644 (file)
--- a/etc/daily
+++ b/etc/daily
@@ -1,5 +1,5 @@
 #
-#      $OpenBSD: daily,v 1.96 2022/10/19 21:23:31 sthen Exp $
+#      $OpenBSD: daily,v 1.97 2023/03/03 16:22:57 bluhm Exp $
 #      From: @(#)daily 8.2 (Berkeley) 1/25/94
 #
 # For local additions, create the file /etc/daily.local.
@@ -74,7 +74,7 @@ if [ -f /var/account/acct ]; then
                mv -f /var/account/acct.0 /var/account/acct.1
        cp -f /var/account/acct /var/account/acct.0
        sa -sq
-       lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[MPTU]'
+       lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[EMPTU]'
 fi
 
 # If ROOTBACKUP is set to 1 in the environment, and