From: bluhm Date: Fri, 3 Mar 2023 16:22:57 +0000 (+0000) Subject: Process accounting and lastcomm(1) can detect execve(2) violations X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=693dc5e1c009c5ddba5b7e66566029d2e38cec79;p=openbsd Process accounting and lastcomm(1) can detect execve(2) violations of pinsyscall(2) policy. Report such findings in daily mail like other security violations. User has to turn on accounting=YES in rc.conf.local to utilize this feature. OK deraadt@ --- diff --git a/etc/daily b/etc/daily index 96d6ac4cc92..5d052e3239c 100644 --- a/etc/daily +++ b/etc/daily @@ -1,5 +1,5 @@ # -# $OpenBSD: daily,v 1.96 2022/10/19 21:23:31 sthen Exp $ +# $OpenBSD: daily,v 1.97 2023/03/03 16:22:57 bluhm Exp $ # From: @(#)daily 8.2 (Berkeley) 1/25/94 # # For local additions, create the file /etc/daily.local. @@ -74,7 +74,7 @@ if [ -f /var/account/acct ]; then mv -f /var/account/acct.0 /var/account/acct.1 cp -f /var/account/acct /var/account/acct.0 sa -sq - lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[MPTU]' + lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[EMPTU]' fi # If ROOTBACKUP is set to 1 in the environment, and