Recently a machine running OpenBSD 6.8 had its configuration changed and I
believe it to have been subject to a malicious attack.
This change is completely unexplainable, compromised security, and would
have required root access.
The log files reveal nothing out of the ordinary except for wtmp
indicating 0 users are logged in:
-bash-5.0# who
-bash-5.0# w
1:49PM up 2:21, 0 users, load averages: 1.35, 1.38, 1.50
USER TTY FROM LOGIN@ IDLE WHAT
-bash-5.0#
I would like to be able to log every exec syscall with the details of the
current timestamp, calling PID, program path, arguments, and new PID.
Ideally this would be implemented in the kernel. Are there any
existing solutions?
Thanks,
