Process accounting and lastcomm(1) can detect execve(2) violations

of pinsyscall(2) policy. Report such findings in daily mail like other security violations. User has to turn on accounting=YES in rc.conf.local to utilize this feature. OK deraadt@
2025-01-10 06:47:55 -08:00 · 2023-03-03 16:22:57 +00:00 · 2023-03-03 16:22:57 +00:00 · 693dc5e1c0
commit 693dc5e1c0
parent bb47adf3f1
1 changed files with 2 additions and 2 deletions
--- a/etc/daily
+++ b/etc/daily
@ -1,5 +1,5 @@
 #
-#	$OpenBSD: daily,v 1.96 2022/10/19 21:23:31 sthen Exp $
+#	$OpenBSD: daily,v 1.97 2023/03/03 16:22:57 bluhm Exp $
 #	From: @(#)daily	8.2 (Berkeley) 1/25/94
 #
 # For local additions, create the file /etc/daily.local.
@ -74,7 +74,7 @@ if [ -f /var/account/acct ]; then
 		mv -f /var/account/acct.0 /var/account/acct.1
 	cp -f /var/account/acct /var/account/acct.0
 	sa -sq
-	lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[MPTU]'
+	lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[EMPTU]'
 fi

 # If ROOTBACKUP is set to 1 in the environment, and