MK try it now.
http://www.linbsd.org/log_execve.38.patch
Thanks to Ted for pointing out the not so obvious
mistakes in it.
Thanks.
-Ober
On Mon, 26 Dec 2005, Ted Unangst wrote:
On 12/25/05, ober <[EMAIL PROTECTED]> wrote:
Here is a patch, probably something want to test before using on
a production box.
http://www.linbsd.org/log_execve.38.patch
It logs commands to syslog like this:
EXECVE: uid:1000 fullpath:/bin/ls command:ls foo
EXECVE: uid:1000 fullpath:/sbin/dmesg command:dmesg
EXECVE: uid:1000 fullpath:/usr/bin/touch command:touch fff
accessing a user pointer from kernel is an easy denial of service attack.
