For example if i would create a uid/gid based rule
This would log all activity to the ipfw0 interface from that user, .. if ipfw disable verbose, ofcourse ..
Now my problem i run apache-itk-mpm, .. and the setuid processes aren't logged neither are those of ssh, .. strange thing is the process has that specific uid however it is nog logged because it is a setuid. And i've noticed same goes for other processes, that use setuid.
Is there a way arround this.
An other consurn is, for example lastcomm
so ps aux only shows the users processes same goes for sockstat, however if the user types lastcomm it shows all history?
Code:
ipfw add allow log all from any to any uid testThis would log all activity to the ipfw0 interface from that user, .. if ipfw disable verbose, ofcourse ..
Now my problem i run apache-itk-mpm, .. and the setuid processes aren't logged neither are those of ssh, .. strange thing is the process has that specific uid however it is nog logged because it is a setuid. And i've noticed same goes for other processes, that use setuid.
Is there a way arround this.
An other consurn is, for example lastcomm
Code:
security.bsd.see_other_gids: 0
security.bsd.see_other_uids: 0
Code:
$ sockstat
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
$ ps aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
test 45350 0.2 0.1 10324 2392 8 S 1:28PM 0:00.04 _su (tcsh)
test 45359 0.0 0.1 8296 1428 8 S 1:28PM 0:00.00 sh
test 45360 0.0 0.1 8044 1132 8 R+ 1:29PM 0:00.00 ps aux
$ lastcomm | tail
cat - root __ 0.002 secs Sun Aug 14 03:05
sh - root __ 0.006 secs Sun Aug 14 03:05
dump - root __ 0.003 secs Sun Aug 14 03:05
df - root __ 0.003 secs Sun Aug 14 03:05
cp - root __ 0.003 secs Sun Aug 14 03:05
sh - root __ 0.005 secs Sun Aug 14 03:05
cp - root __ 0.003 secs Sun Aug 14 03:05
cat - root __ 0.002 secs Sun Aug 14 03:05
sh - root __ 0.009 secs Sun Aug 14 03:05
sa - root __ 1.460 secs Sun Aug 14 03:05
$ id
uid=2365(test) gid=10000(sensor) groups=10000(sensor)
$