Syscalls
James W. Hoeft
Jim at MagitekLtd.com
Wed Feb 28 19:24:08 UTC 2007
Steve Grubb wrote:
> On Wednesday 28 February 2007 09:53, Valdis.Kletnieks at vt.edu wrote:
>> A malicious root user (or any user wanting to bypass a logging login shell)
>> could just 'vi /tmp/foo', and then use '!your_command_here -h -x -Q 3' or
>> whatever they wanted to do. Â
>
> I don't think any security target or standard assumes that you have a
> malicious root user. I think that crosses the line from recording what
> actions are performed to potential criminal investigation.
In our world, the primary purpose of audit logs is to support a criminal
investigation - and malicious root user is assumed. Two options were
presented: ensure audit files are immutable and if system isn't auditing
shut it down; or put root password under two-man control. (couldn't
accomplish first in time frame, so had to go with second, which is an
incredible pain for the admins - hope to change that with next
generation/selinux).
>> Probably what's *really* needed is a sebek-style logger that traces all
>> terminal activity on that connection. http://www.honeynet.org/tools/sebek/
>> but somebody would have to retarget that code to talk to the audit daemon
>> rather than an external server on another box.
>
> Yeah, a keylogger is what you'd need and that probably goes beyond what audit
> should be doing. If you want to record a lot of data, then you could also
> add:
>
> -a always,entry -S execve -F 'auid>=500' -F uid=0
>
> -Steve
Jim
More information about the Linux-audit
mailing list