>Number:         9358
>Category:       security
>Synopsis:       acct(2) and acct(5) process accounting need to record dev_t and ino_t of command
>Confidential:   yes
>Severity:       non-critical
>Priority:       low
>Responsible:    security-officer (NetBSD Security Officer)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Feb  6 14:48:00 2000
>Last-Modified:
>Originator:     Erik E. Fair
>Organization:
	<a href="http://www.clock.org">International Organization of Internet Clock Watchers</a>
>Release:        all NetBSD releases to date
>Environment:
	
System: NetBSD digital.clock.org 1.4.2_ALPHA NetBSD 1.4.2_ALPHA (DIGITAL) #10: Mon Jan 10 22:38:56 PST 2000 fair@doomsday.clock.org:/usr/obj/sys/arch/alpha/compile/DIGITAL alpha


>Description:
	The acct(2) and acct(5) process accounting facility only
	records the name of a command executed. This is not sufficient
	to positively identify the file executed from the filesystem
	because a program can be named most anything.

	This situation allows an attacker on a system with process
	accounting to hide what he does by cloaking the programs
	with the names of more ordinary names, e.g. sh, cat, ls,
	less, etc.

>How-To-Repeat:
	examine /usr/include/sys/acct.h and read acct(5)
>Fix:
	add the dev_t and ino_t (the device and inode numbers) of
	the command to the process accounting output.

	These two values are compact, and can be used with find(1)
	or ls(1) to positively identify the program that was run
	(if it still exists in the filesystem).

	If the file no longer exists at the {name,device,inode} tuple,
	then you know it probably wasn't the program named in the
	"comm" field.

	A sophisticated attacker might be able to temporarily
	replace a binary in a particular file with cp(1), but this
	can be mitigated with chflags(2) by setting system binaries
	system immutable.
>Audit-Trail:
>Unformatted: