Re: Syscalls
On Wed, 28 Feb 2007 08:28:47 EST, Steve Grubb said:
> 4) Were trying to track all usage by the root user, again we are
getting
> a whole bunch of other stuff in the logs, not actions by the user root
> only.
I am still looking at this. I think we need to patch bash for this.
A patch to bash would be necessary, but not sufficient.
A malicious root user (or any user wanting to bypass a logging login shell)
could just 'vi /tmp/foo', and then use '!your_command_here -h -x -Q 3' or
whatever they wanted to do. Or launch a copy of Emacs and start 'shell.el',
or just launch a copy of perl, and type 'system("command");' at it,
or.....
Probably what's *really* needed is a sebek-style logger that traces all
terminal activity on that connection. http://www.honeynet.org/tools/sebek/
but somebody would have to retarget that code to talk to the audit daemon
rather than an external server on another box.
Attachments:
- attachment.sig (application/pgp-signature — 226 bytes)