plugin auditing approach question
Steve Grubb
sgrubb at redhat.com
Mon Jun 23 17:36:18 UTC 2008
On Monday 23 June 2008 13:27:25 LC Bruzenak wrote:
> I would create a library call and matching executable audit proxy. I'd
> give CAP_AUDIT_WRITE to the proxy. Then, the library call would
> fork/exec the audit proxy child, create a socket pair, and give each
> side their half of the pair.
So then you have shifted access control issues to the proxy. Once you have a
proxy, then other potentially misleading apps can write to it in order to
hide or make it hard to analyze a suspicious event. So, you need a way of
making sure that only certain apps can connect to the proxy...and bash should
not be one of them. :) Anyways, that is the core issue that I see.
-Steve
More information about the Linux-audit
mailing list