[RFC] linux-2.6.10-auditfs-tc1.patch
Klaus Weidner
klaus at atsec.com
Fri Jan 21 19:41:03 UTC 2005
On Fri, Jan 21, 2005 at 10:29:47AM -0800, Chris Wright wrote:
> Now for updates, I think you'll need to keep watch of the whole tree,
> mount issues aside. For example, I believe that right now the following
> could fall off of the radar:
>
> # mv /etc /tmp
> # mkdir /etc
> # cp /tmp/evil_shadow /etc/shadow
>
> I think this would kill /etc dir watchpoints, and /etc/shadow would no
> longer be watched, while /tmp/etc/shadow is diligently watched.
This type of thing is not a concern for CAPP and LSPP, since
administrators are still assumed to be trustworthy, and ordinary users
can't do that kind of thing. I'm not convinced that it's a real concern
in practical use either - an audit subsystem that could cope with
malicious administrators reliably would need to be designed differently.
I guess it would be possible to set up a watch list on "/" to monitor
renames/recreation of /etc though, which would at least give admins the
chance to notice this kind of thing happening.
-Klaus
More information about the Linux-audit
mailing list