From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Syscalls Date: Wed, 28 Feb 2007 10:25:42 -0500 Message-ID: <200702281025.42505.sgrubb@redhat.com> References: <200702280828.47480.sgrubb@redhat.com> <200702281453.l1SErxtI004552@turing-police.cc.vt.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <200702281453.l1SErxtI004552@turing-police.cc.vt.edu> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Valdis.Kletnieks@vt.edu Cc: linux-audit@redhat.com, "Johnston Mark (UK)" List-Id: linux-audit@redhat.com On Wednesday 28 February 2007 09:53, Valdis.Kletnieks@vt.edu wrote: > A malicious root user (or any user wanting to bypass a logging login sh= ell) > could just 'vi /tmp/foo', and then use '!your_command_here -h -x -Q 3' = or > whatever they wanted to do. =C2=A0 I don't think any security target or standard assumes that you have a=20 malicious root user. I think that crosses the line from recording what=20 actions are performed to potential criminal investigation. > Probably what's *really* needed is a sebek-style logger that traces all > terminal activity on that connection. http://www.honeynet.org/tools/seb= ek/ > but somebody would have to retarget that code to talk to the audit daem= on > rather than an external server on another box. Yeah, a keylogger is what you'd need and that probably goes beyond what a= udit=20 should be doing. If you want to record a lot of data, then you could also= =20 add: -a always,entry -S execve -F 'auid>=3D500' -F uid=3D0 -Steve