From mboxrd@z Thu Jan  1 00:00:00 1970
From: "James W. Hoeft" <Jim@MagitekLtd.com>
Subject: Re: Syscalls
Date: Wed, 28 Feb 2007 11:24:08 -0800
Message-ID: <45E5D6D8.6000605@MagitekLtd.com>
References: <C448EC7056762442858D09FC8380D112981E90@XCGC3008.northgrum.com>	<200702280828.47480.sgrubb@redhat.com>	<200702281453.l1SErxtI004552@turing-police.cc.vt.edu>
	<200702281025.42505.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200702281025.42505.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: "Johnston Mark (UK)" <Mark.Johnston@o2.com>, linux-audit@redhat.com, Valdis.Kletnieks@vt.edu
List-Id: linux-audit@redhat.com

Steve Grubb wrote:
> On Wednesday 28 February 2007 09:53, Valdis.Kletnieks@vt.edu wrote:
>> A malicious root user (or any user wanting to bypass a logging login s=
hell)
>> could just 'vi /tmp/foo', and then use '!your_command_here -h -x -Q 3'=
 or
>> whatever they wanted to do. =C2=20
>=20
> I don't think any security target or standard assumes that you have a=20
> malicious root user. I think that crosses the line from recording what=20
> actions are performed to potential criminal investigation.

In our world, the primary purpose of audit logs is to support a criminal=20
investigation - and malicious root user is assumed. Two options were=20
presented: ensure audit files are immutable and if system isn't auditing=20
shut it down; or put root password under two-man control. (couldn't=20
accomplish first in time frame, so had to go with second, which is an=20
incredible pain for the admins - hope to change that with next=20
generation/selinux).

>> Probably what's *really* needed is a sebek-style logger that traces al=
l
>> terminal activity on that connection. http://www.honeynet.org/tools/se=
bek/
>> but somebody would have to retarget that code to talk to the audit dae=
mon
>> rather than an external server on another box.
>=20
> Yeah, a keylogger is what you'd need and that probably goes beyond what=
 audit=20
> should be doing. If you want to record a lot of data, then you could al=
so=20
> add:
>=20
> -a always,entry -S execve -F 'auid>=3D500' -F uid=3D0
>=20
> -Steve

Jim