From: "James W. Hoeft" <Jim@MagitekLtd.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: "Johnston Mark (UK)" <Mark.Johnston@o2.com>,
linux-audit@redhat.com, Valdis.Kletnieks@vt.edu
Subject: Re: Syscalls
Date: Wed, 28 Feb 2007 11:24:08 -0800 [thread overview]
Message-ID: <45E5D6D8.6000605@MagitekLtd.com> (raw)
In-Reply-To: <200702281025.42505.sgrubb@redhat.com>
Steve Grubb wrote:
> On Wednesday 28 February 2007 09:53, Valdis.Kletnieks@vt.edu wrote:
>> A malicious root user (or any user wanting to bypass a logging login shell)
>> could just 'vi /tmp/foo', and then use '!your_command_here -h -x -Q 3' or
>> whatever they wanted to do. Â
>
> I don't think any security target or standard assumes that you have a
> malicious root user. I think that crosses the line from recording what
> actions are performed to potential criminal investigation.
In our world, the primary purpose of audit logs is to support a criminal
investigation - and malicious root user is assumed. Two options were
presented: ensure audit files are immutable and if system isn't auditing
shut it down; or put root password under two-man control. (couldn't
accomplish first in time frame, so had to go with second, which is an
incredible pain for the admins - hope to change that with next
generation/selinux).
>> Probably what's *really* needed is a sebek-style logger that traces all
>> terminal activity on that connection. http://www.honeynet.org/tools/sebek/
>> but somebody would have to retarget that code to talk to the audit daemon
>> rather than an external server on another box.
>
> Yeah, a keylogger is what you'd need and that probably goes beyond what audit
> should be doing. If you want to record a lot of data, then you could also
> add:
>
> -a always,entry -S execve -F 'auid>=500' -F uid=0
>
> -Steve
Jim
next prev parent reply other threads:[~2007-02-28 19:24 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-27 8:25 New to audit. Need help configuring audit to meet NISPOM req's Fields, Randy (Space Technology)
2007-02-28 3:00 ` Steve Grubb
2007-02-28 11:02 ` Johnston Mark (UK)
2007-02-28 11:07 ` Syscalls Johnston Mark (UK)
2007-02-28 11:43 ` Syscalls Steve Grubb
2007-02-28 12:23 ` Syscalls Johnston Mark (UK)
2007-02-28 12:25 ` Syscalls Marcus Meissner
2007-02-28 13:28 ` Syscalls Steve Grubb
2007-02-28 14:53 ` Syscalls Valdis.Kletnieks
2007-02-28 15:25 ` Syscalls Steve Grubb
2007-02-28 19:24 ` James W. Hoeft [this message]
2007-02-28 15:17 ` Syscalls Steve Grubb
2007-03-01 2:41 ` Syscalls Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45E5D6D8.6000605@MagitekLtd.com \
--to=jim@magitekltd.com \
--cc=Mark.Johnston@o2.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.