Re: [RFC] linux-2.6.10-auditfs-tc1.patch
On Fri, Jan 21, 2005 at 10:29:47AM -0800, Chris Wright wrote:
Now for updates, I think you'll need to keep watch of the whole
tree,
mount issues aside. For example, I believe that right now the following
could fall off of the radar:
# mv /etc /tmp
# mkdir /etc
# cp /tmp/evil_shadow /etc/shadow
I think this would kill /etc dir watchpoints, and /etc/shadow would no
longer be watched, while /tmp/etc/shadow is diligently watched.
This type of thing is not a concern for CAPP and LSPP, since
administrators are still assumed to be trustworthy, and ordinary users
can't do that kind of thing. I'm not convinced that it's a real concern
in practical use either - an audit subsystem that could cope with
malicious administrators reliably would need to be designed differently.
I guess it would be possible to set up a watch list on "/" to monitor
renames/recreation of /etc though, which would at least give admins the
chance to notice this kind of thing happening.
-Klaus