Re: [RFC] linux-2.6.10-auditfs-tc1.patch
* Klaus Weidner (klaus(a)atsec.com) wrote:
This type of thing is not a concern for CAPP and LSPP, since
administrators are still assumed to be trustworthy, and ordinary users
can't do that kind of thing. I'm not convinced that it's a real concern
in practical use either - an audit subsystem that could cope with
malicious administrators reliably would need to be designed differently.
Yes, that's the same conversation I was having with Tim. That will take
any mount issues off the table, as they are identical.
I guess it would be possible to set up a watch list on "/"
to monitor
renames/recreation of /etc though, which would at least give admins the
chance to notice this kind of thing happening.
Right, that's what I meant by watching the whole tree.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net