So you want to ktrace your entire system, with a limited set of monitors. I've played with this before, to identify specific behaviours when developing pledge. It required a large number of hacks, and the performance was dismal.
Based upon my experience, I predict it will not work for your usage case at all. James <ja...@jmp-e.com> wrote: > Thanks. I have enabled system accounting. > > acct(5) seems to be limited by the fact that it is triggered on process > exit, doesn't contain the process ID or parent process ID and can only > store 10 characters for the command name. > > ktrace could work but it's far too slow without limiting syscalls > recorded to a specific subset. > > Is there any interest in modifying ktrace to allow for specifying > individual names of syscalls to trace? > > e.g. ktrace -t c -u execve,sendmsg > > On Fri, Nov 13, 2020 at 07:57:54AM -0700, Theo de Raadt wrote: > >man accton > > > >James <ja...@jmp-e.com> wrote: > > > >> Recently a machine running OpenBSD 6.8 had its configuration changed and I > >> believe it to have been subject to a malicious attack. > >> > >> This change is completely unexplainable, compromised security, and would > >> have required root access. > >> > >> The log files reveal nothing out of the ordinary except for wtmp > >> indicating 0 users are logged in: > >> > >> -bash-5.0# who > >> -bash-5.0# w > >> 1:49PM up 2:21, 0 users, load averages: 1.35, 1.38, 1.50 > >> USER TTY FROM LOGIN@ IDLE WHAT > >> -bash-5.0# > >> > >> > >> I would like to be able to log every exec syscall with the details of the > >> current timestamp, calling PID, program path, arguments, and new PID. > >> > >> Ideally this would be implemented in the kernel. Are there any > >> existing solutions? > >> > >> Thanks, > >> > >