audit audtid's syscall?
Avishay Traeger
atraeger at cs.sunysb.edu
Thu Feb 3 17:40:14 UTC 2005
Well I wasn't worried about security risks because I was using it for a
personal study, but yes, definitely a "free lunch". Also, thanks for
the bash scripting corrections! :)
Avishay Traeger
On Thu, 2005-02-03 at 12:24 -0500, Valdis.Kletnieks at vt.edu wrote:
> On Thu, 03 Feb 2005 11:08:08 EST, Avishay Traeger said:
>
> > PID=`ps x | grep auditd | grep -v grep | cut -c 2-5`
>
> > /sbin/auditctl -a entry,always -S all -F pid!=$PID || exit3
>
> This will, under some conditions, allow an attacker a "free lunch" just by
> calling his process something with 'auditd' in it. You really need to check
> against what process is actually doing the auditd function (i.e. is it listening
> to the netlink?)
>
> The 'cut -c 2-5' will bork if auditd gets a process ID over 9999. '-c 1-6' or
> awk '{print $1}' might be better....
>
> Also, you can save a fork/exec like this:
>
> PID=`ps x | grep 'aud[i]td' | -c 1-5`
>
> (Think carefully about how grep applies the regexp when it finds itself...)
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list