On Monday 23 June 2008 13:27:25 LC Bruzenak wrote: > I would create a library call and matching executable audit proxy. I'd > give CAP_AUDIT_WRITE to the proxy. Then, the library call would > fork/exec the audit proxy child, create a socket pair, and give each > side their half of the pair.
So then you have shifted access control issues to the proxy. Once you have a proxy, then other potentially misleading apps can write to it in order to hide or make it hard to analyze a suspicious event. So, you need a way of making sure that only certain apps can connect to the proxy...and bash should not be one of them. :) Anyways, that is the core issue that I see. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
