man accton James <[email protected]> wrote:
> Recently a machine running OpenBSD 6.8 had its configuration changed and I > believe it to have been subject to a malicious attack. > > This change is completely unexplainable, compromised security, and would > have required root access. > > The log files reveal nothing out of the ordinary except for wtmp > indicating 0 users are logged in: > > -bash-5.0# who > -bash-5.0# w > 1:49PM up 2:21, 0 users, load averages: 1.35, 1.38, 1.50 > USER TTY FROM LOGIN@ IDLE WHAT > -bash-5.0# > > > I would like to be able to log every exec syscall with the details of the > current timestamp, calling PID, program path, arguments, and new PID. > > Ideally this would be implemented in the kernel. Are there any > existing solutions? > > Thanks, >
