auditd not triggering ANOM_ROOT_TRANS record
teroz
terence.namusonge at gmail.com
Tue Oct 25 13:42:13 UTC 2016
Hey William
exploit is run as a normal user and privilege escalates to a root shell
On Tue, 25 Oct 2016 at 15:09 William Roberts <bill.c.roberts at gmail.com>
wrote:
> On Oct 25, 2016 05:12, "teroz" <terence.namusonge at gmail.com> wrote:
> >
> > I used one of the dirtycow root exploits on Fedora24 configured
> with 30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but
> didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the
> best way to trivially audit for a successful privilege escalation?
> >
>
> I would imagine that if it's hijacking an already root or setuid binary,
> you won't see anything. As far as that record goes, I have no idea, I'll
> let an auditing expert answer that question.
> >
> >
> >
>
>
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20161025/b7e722fa/attachment.htm>
More information about the Linux-audit
mailing list