On Wed, 28 Feb 2007 08:28:47 EST, Steve Grubb said: > > 4) Were trying to track all usage by the root user, again we are getting > > a whole bunch of other stuff in the logs, not actions by the user root > > only. > > I am still looking at this. I think we need to patch bash for this.
A patch to bash would be necessary, but not sufficient.
A malicious root user (or any user wanting to bypass a logging login shell)
could just 'vi /tmp/foo', and then use '!your_command_here -h -x -Q 3' or
whatever they wanted to do. Or launch a copy of Emacs and start 'shell.el',
or just launch a copy of perl, and type 'system("command");' at it, or.....
Probably what's *really* needed is a sebek-style logger that traces all
terminal activity on that connection. http://www.honeynet.org/tools/sebek/
but somebody would have to retarget that code to talk to the audit daemon
rather than an external server on another box.
pgpdmRUwdzz4N.pgp
Description: PGP signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
