auid

Paul Howarth paul at city-fan.org
Thu Feb 9 18:18:09 UTC 2006


Steve G wrote:
>>so in the absence of SELinux (e.g. CAPP-only configuration), any uid 0 process
>>can mutate its loginuid later to mask the original one,
> 
> 
> Or it can delete the audit logs or re-write syslog or install a rootkit covering
> everything up. The only defence against this kind of tampering is remote logging.
> 
> 
>>and in the presence of SELinux, any program authorized for audit_control can 
>>mutate its loginuid later (so a smaller exposure, but still a possibility).
> 
> 
> So...why doesn't policy restrict this even further so that the 10 apps that need
> to set this are the *only* ones that can do so?
> 
> The list is: login, sshd, vsftpd, postfix, procmail, cron, at, gdm, kdm, & xdm.

That might break any alternatives to these programs, e.g. from Fedora 
Extras, such as proftpd, wouldn't it?

Paul.




More information about the fedora-devel-list mailing list