[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::hackers_v1

Title:-={ H A C K E R S }=-
Notice:Write locked - see NOTED::HACKERS
Moderator:DIEHRD::MORRIS
Created:Thu Feb 20 1986
Last Modified:Mon Aug 03 1992
Last Successful Update:Fri Jun 06 1997
Number of topics:680
Total number of notes:5456

649.0. "Accounting records not being written?" by SRFSUP::LONGO (Bob Longo) Tue Jan 05 1988 07:20

    How could a non privileged user have logged into a system and logged
    out without a corresponding accounting record being written?  Will
    hanging up the phone accomplish this?  How about STOP/ID=0?
    
    This is sorta scary, because accounting records are often used to
    track security related issues on systems.  I only know this particular
    user was logged in because his last login date in his UAF record
    says so, and he edited some of his files.
    
    By the way, the system did not crash or anything like that.
    
    Thanks for any info,
    -Bob
T.RTitleUserPersonal
Name		DateLines
649.1puzzling....IND::HERMITTYou and I while we can...Thu Jan 07 1988 17:537
    I know accounting is funny in that image activation records are
    not written to disk immediately, but process termination records
    should be.  I assume the user could not have done a "run/noaccounting".
    Things to check (I guess):  have you only one version of the 
    accountng.dat file?  Was the last login in the uaf interactive?
    I don't know about the stop/id=0 (stop.exe??)
649.2VIDEO::LEICHTERJJerry LeichterSat Jan 09 1988 14:525
Neither STOP/ID=0, nor hanging up, nor anything else should prevent the process
termination record from being written.  You've either got (a) some problem in
the way you rsystem is set up, such as the multiple accounting file possibility
mentioned earlier; (b) a bug; (c) a hacker.
							-- Jerry
649.3Disk full ?UTRTSC::VDBURGJur van der Burg - (van der BUG)Mon Jan 18 1988 06:024
    I've seen this happen before when the disk system disk became full.
    After a message from JOBCTL on the console the accounting will be
    disabled. If the disk becomes free again, the accounting won't be
    restarted.