On Friday 04 December 2009 06:08:42 am Trevor Vaughan wrote:
>> I'm getting lots of extraneous chatter from sshd,
automount, and cron,
>> all of which are from tty=(none), but I'm not sure it's possible to
>> filter on tty...
It's not as far as I could find, though this would be an awesome
feature. Basically, the ability to say, tty!=none.
This can be easily subverted by an attacker. Open af_unix socket, pass
descriptor, do not read it, close stdin - stdout and do evil work, then read
socket and use tty input/output again.
> The way that we suggest auditing the actions of a root user is
by using
> the tty audit capability. This is a little more specific about what is
> really happening. For example, someone could start a python shell and
> start issuing commands. If you audit by execve, then all you see is
> python start up and then you see nothing else. Also, bash can do
> networking. Its possible to transfer files using bash primitives that you
> won't pick up by auditing execve syscalls. Awk is also network aware...
One thing to note about the tty audit capability is that it is a forward
processing logger, not an echo logger.
I prefer to call it a keystroke logger because it gets all of them.
This means that it will capture passwords that you type in at the
command
line even if they are not echoed.
True and they are protected by needing root level access to get at them.
Anyone that has root access can install a rootkit to grab passwords just as
easily. If the concern is that these could be stored and looked at by anyone
with access to the backed up logs, then use gpg to encrypt the files.
You may want to look at something like sudosh or the like which are
echo
loggers and will not collect anything that is hidden from the terminal.
Those are easily subverted, though.
This presents it's own problems, but at least won't grab
sensitive
passwords in general.
All protection profiles state that root is trusted. There are at least 20
covert channels I can think of that would let an evil admin get a user's
private keys/data or credentials.
-Steve