Re: [PATCH] Audit: Add TTY input auditing

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Miloslav Trmac <mitr@redhat.com>
To: casey@schaufler-ca.com
Cc: Steve Grubb <sgrubb@redhat.com>,
	Jan Engelhardt <jengelh@linux01.gwdg.de>,
	dwmw2@infradead.org, linux-kernel@vger.kernel.org,
	Alan Cox <alan@redhat.com>, Alexander Viro <aviro@redhat.com>
Subject: Re: [PATCH] Audit: Add TTY input auditing
Date: Thu, 07 Jun 2007 21:28:39 +0200	[thread overview]
Message-ID: <46685C67.7000108@redhat.com> (raw)
In-Reply-To: <442798.53194.qm@web36614.mail.mud.yahoo.com>

Casey Schaufler napsal(a):
>> If we do not get commands typed at a prompt, we have to audit by execve. 
> I would suggest that you'll have to do that as well so that you can tell
> the difference between typed actions like these:
> 
> # cat > /dev/null
> badprogram --badthing --everyone
> ^D
> #
> 
> # badprogram --badthing --everyone
> 
> where the same typed line is a Bad Thing in one case and completely
> irrelevent in the other.
The proposed patch audits each process separately, and includes a part
of the command name in the audit event, so it is easy to distinguish
between data entered into (cat > /dev/null) and the shell.

The command name can be faked, but the actions necessary to fake the
command name would be audited.
	Mirek

next prev parent reply	other threads:[~2007-06-07 19:30 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-06-06  9:49 [PATCH] Audit: Add TTY input auditing Miloslav Trmac
2007-06-06 10:10 ` Miloslav Trmac
2007-06-07  0:41   ` Andrew Morton
2007-06-07 10:10     ` Alan Cox
2007-06-07 14:20       ` Miloslav Trmac
2007-06-07 21:59         ` Alan Cox
2007-06-08  4:18     ` Miloslav Trmac
2007-06-08  4:23     ` [PATCH, v2] " Miloslav Trmac
2007-06-08  6:31       ` Andrew Morton
2007-06-08 16:00         ` Miloslav Trmac
2007-06-07  8:13 ` [PATCH] " Jan Engelhardt
2007-06-07 10:50   ` Steve Grubb
2007-06-07 15:42     ` Casey Schaufler
2007-06-07 15:52       ` Alan Cox
2007-06-07 16:31       ` Steve Grubb
2007-06-07 17:33         ` Casey Schaufler
2007-06-07 19:28           ` Miloslav Trmac [this message]
2007-06-07 21:09             ` Jan Engelhardt
2007-06-07 22:32               ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46685C67.7000108@redhat.com \
    --to=mitr@redhat.com \
    --cc=alan@redhat.com \
    --cc=aviro@redhat.com \
    --cc=casey@schaufler-ca.com \
    --cc=dwmw2@infradead.org \
    --cc=jengelh@linux01.gwdg.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.