Re: audit audtid's syscall?

On Thu, 03 Feb 2005 11:08:08 EST, Avishay Traeger said: This will, under some conditions, allow an attacker a "free lunch" just by calling his process something with 'auditd' in it. You really need to check against what process is actually doing the auditd function (i.e. is it listening to the netlink?) The 'cut -c 2-5' will bork if auditd gets a process ID over 9999. '-c 1-6' or awk '{print $1}' might be better.... Also, you can save a fork/exec like this: PID=`ps x | grep 'aud[i]td' | -c 1-5` (Think carefully about how grep applies the regexp when it finds itself...)