audit audtid's syscall?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Feb 3 17:24:58 UTC 2005
On Thu, 03 Feb 2005 11:08:08 EST, Avishay Traeger said:
> PID=`ps x | grep auditd | grep -v grep | cut -c 2-5`
> /sbin/auditctl -a entry,always -S all -F pid!=$PID || exit3
This will, under some conditions, allow an attacker a "free lunch" just by
calling his process something with 'auditd' in it. You really need to check
against what process is actually doing the auditd function (i.e. is it listening
to the netlink?)
The 'cut -c 2-5' will bork if auditd gets a process ID over 9999. '-c 1-6' or
awk '{print $1}' might be better....
Also, you can save a fork/exec like this:
PID=`ps x | grep 'aud[i]td' | -c 1-5`
(Think carefully about how grep applies the regexp when it finds itself...)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050203/a2a511f6/attachment.sig>
More information about the Linux-audit
mailing list