Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Roman Drahtmueller (drahtsuse.de)
Date: Tue Sep 18 2001 - 07:17:01 CDT
> Yep. Kernel-land tools are the right ones, although
> acct(2) only works when the process calls exit(2).
Not quite (good that you mention it). The program gets logged, when the
task is being removed from the task list in do_exit() inside the kernel.
The actual reason why it died doesn't count (besides, there is a bug in
the lastcomm(1) manpage: Not only SIGTERM causes that "X" in lastcomm's
output!), since this reason is beyond the control of the userspace at this
> Programs killed with sigkill for example don't appear
> in the logs then.
This is a good reason for not trying this in user- and libraryspace.
# cd /var/account/
# touch pacct
# chmod 640 pacct
# accton pacct
# ls -la pacct
-rw-r----- 1 root root 64 Sep 18 14:08 pacct
# sleep 400 &
# kill -9 16390
+ Killed sleep 400
sleep X root stdin 0.01 secs Tue Sep 18 14:08
ls root stdin 0.00 secs Tue Sep 18 14:08
accton S root stdin 0.00 secs Tue Sep 18 14:08
-- - - | Roman Drahtmüller <drahtsuse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
-- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-helpsuse.com