On Wednesday 28 February 2007 09:53, [EMAIL PROTECTED] wrote: > A malicious root user (or any user wanting to bypass a logging login shell) > could just 'vi /tmp/foo', and then use '!your_command_here -h -x -Q 3' or > whatever they wanted to do.
I don't think any security target or standard assumes that you have a malicious root user. I think that crosses the line from recording what actions are performed to potential criminal investigation. > Probably what's *really* needed is a sebek-style logger that traces all > terminal activity on that connection. http://www.honeynet.org/tools/sebek/ > but somebody would have to retarget that code to talk to the audit daemon > rather than an external server on another box. Yeah, a keylogger is what you'd need and that probably goes beyond what audit should be doing. If you want to record a lot of data, then you could also add: -a always,entry -S execve -F 'auid>=500' -F uid=0 -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
