Re: Syscalls - Steve Grubb

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Valdis.Kletnieks@vt.edu
Cc: linux-audit@redhat.com, "Johnston Mark (UK)" <Mark.Johnston@o2.com>
Subject: Re: Syscalls
Date: Wed, 28 Feb 2007 10:25:42 -0500	[thread overview]
Message-ID: <200702281025.42505.sgrubb@redhat.com> (raw)
In-Reply-To: <200702281453.l1SErxtI004552@turing-police.cc.vt.edu>

On Wednesday 28 February 2007 09:53, Valdis.Kletnieks@vt.edu wrote:
> A malicious root user (or any user wanting to bypass a logging login shell)
> could just 'vi /tmp/foo', and then use '!your_command_here -h -x -Q 3' or
> whatever they wanted to do.  

I don't think any security target or standard assumes that you have a 
malicious root user. I think that crosses the line from recording what 
actions are performed to potential criminal investigation.

> Probably what's *really* needed is a sebek-style logger that traces all
> terminal activity on that connection. http://www.honeynet.org/tools/sebek/
> but somebody would have to retarget that code to talk to the audit daemon
> rather than an external server on another box.

Yeah, a keylogger is what you'd need and that probably goes beyond what audit 
should be doing. If you want to record a lot of data, then you could also 
add:

-a always,entry -S execve -F 'auid>=500' -F uid=0

-Steve

next prev parent reply	other threads:[~2007-02-28 15:25 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-27  8:25 New to audit. Need help configuring audit to meet NISPOM req's Fields, Randy (Space Technology)
2007-02-28  3:00 ` Steve Grubb
2007-02-28 11:02   ` Johnston Mark (UK)
2007-02-28 11:07     ` Syscalls Johnston Mark (UK)
2007-02-28 11:43       ` Syscalls Steve Grubb
2007-02-28 12:23         ` Syscalls Johnston Mark (UK)
2007-02-28 12:25           ` Syscalls Marcus Meissner
2007-02-28 13:28           ` Syscalls Steve Grubb
2007-02-28 14:53             ` Syscalls Valdis.Kletnieks
2007-02-28 15:25               ` Steve Grubb [this message]
2007-02-28 19:24                 ` Syscalls James W. Hoeft
2007-02-28 15:17             ` Syscalls Steve Grubb
2007-03-01  2:41           ` Syscalls Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200702281025.42505.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=Mark.Johnston@o2.com \
    --cc=Valdis.Kletnieks@vt.edu \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.