Hi gang!
I'm diving a bit deeper into the process of securing my FreeBSD environment a bit more and came across the Process Accounting.
I followed the steps to set everything up and it worked like a charm. However, when studying the whole setup a bit more I suddenly noticed that if you follow the steps from the handbook to set everything up you're basically providing everyone who has a user account on your system access to the collected accounting information.
When a normal user starts lastcomm(1) then they get to see the full accounting history.
I consider that quite a major flaw to be honest. Especially since it can be easily prevented by simply changing the permission bits on the /var/account directory. By default this is owned by root:wheel yet has a permission mask of 755, so effectively allowing everyone access.
If you follow the instructions and use
The solution should be obvious:
I'm somewhat surprised that this detail wasn't mentioned in the handbook because in my opinion following the default steps can create a potentially dangerous source of information for any intruders.
I'm diving a bit deeper into the process of securing my FreeBSD environment a bit more and came across the Process Accounting.
I followed the steps to set everything up and it worked like a charm. However, when studying the whole setup a bit more I suddenly noticed that if you follow the steps from the handbook to set everything up you're basically providing everyone who has a user account on your system access to the collected accounting information.
When a normal user starts lastcomm(1) then they get to see the full accounting history.
I consider that quite a major flaw to be honest. Especially since it can be easily prevented by simply changing the permission bits on the /var/account directory. By default this is owned by root:wheel yet has a permission mask of 755, so effectively allowing everyone access.
If you follow the instructions and use
touch /var/account/acct
you'll create a file which has 644 as its permission mask, thus also allowing everyone read access.The solution should be obvious:
# chmod o-rx /var/account
, this will prevent anyone outside the wheel group from gaining access to your accounting data.I'm somewhat surprised that this detail wasn't mentioned in the handbook because in my opinion following the default steps can create a potentially dangerous source of information for any intruders.