Re: plugin auditing approach question

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: LC Bruzenak <lenny@magitekltd.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: plugin auditing approach question
Date: Mon, 23 Jun 2008 12:53:27 -0500	[thread overview]
Message-ID: <1214243607.6564.38.camel@homeserver> (raw)
In-Reply-To: <200806231336.18477.sgrubb@redhat.com>


On Mon, 2008-06-23 at 13:36 -0400, Steve Grubb wrote:
> On Monday 23 June 2008 13:27:25 LC Bruzenak wrote:
> > I would create a library call and matching executable audit proxy. I'd
> > give CAP_AUDIT_WRITE to the proxy. Then, the library call would
> > fork/exec the audit proxy child, create a socket pair, and give each
> > side their half of the pair.
> 
> So then you have shifted access control issues to the proxy. Once you have a 
> proxy, then other potentially misleading apps can write to it in order to 
> hide or make it hard to analyze a suspicious event. So, you need a way of 
> making sure that only certain apps can connect to the proxy...and bash should 
> not be one of them. :)  Anyways, that is the core issue that I see.
> 
> -Steve

Yes. That is exactly right, which is why we are also thinking about
maybe "typing" the ones we plugin, adding appropriate policy and
enforcing that. 

Other option is we can also audit as much of the parent info as
possible, specifically denying connections from a shell or other
naughty-minded applications. I guess we can get the irrefutable parent
info from /proc (not sure what CAPS I need to read the parent process
info), right?

Thx again, I do appreciate the feedback.
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

     prev parent reply	other threads:[~2008-06-23 17:53 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-06-23 17:27 plugin auditing approach question LC Bruzenak
2008-06-23 17:36 ` Steve Grubb
2008-06-23 17:53   ` LC Bruzenak [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1214243607.6564.38.camel@homeserver \
    --to=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox