Syscalls
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Wed Feb 28 14:53:59 UTC 2007
On Wed, 28 Feb 2007 08:28:47 EST, Steve Grubb said:
> > 4) Were trying to track all usage by the root user, again we are getting
> > a whole bunch of other stuff in the logs, not actions by the user root
> > only.
>
> I am still looking at this. I think we need to patch bash for this.
A patch to bash would be necessary, but not sufficient.
A malicious root user (or any user wanting to bypass a logging login shell)
could just 'vi /tmp/foo', and then use '!your_command_here -h -x -Q 3' or
whatever they wanted to do. Or launch a copy of Emacs and start 'shell.el',
or just launch a copy of perl, and type 'system("command");' at it, or.....
Probably what's *really* needed is a sebek-style logger that traces all
terminal activity on that connection. http://www.honeynet.org/tools/sebek/
but somebody would have to retarget that code to talk to the audit daemon
rather than an external server on another box.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070228/6e421bf7/attachment.sig>
More information about the Linux-audit
mailing list