On Monday 23 June 2008 13:27:25 LC Bruzenak wrote:
I would create a library call and matching executable audit proxy.
I'd
give CAP_AUDIT_WRITE to the proxy. Then, the library call would
fork/exec the audit proxy child, create a socket pair, and give each
side their half of the pair.
So then you have shifted access control issues to the proxy. Once you have a
proxy, then other potentially misleading apps can write to it in order to
hide or make it hard to analyze a suspicious event. So, you need a way of
making sure that only certain apps can connect to the proxy...and bash should
not be one of them. :) Anyways, that is the core issue that I see.
-Steve