David Wagner wrote: > > Casey Schaufler wrote: > >A good audit > >analysis tool is going to be able to answer querys based on fd, > >such as "where did this Trojan Horse get stdin from?". > > But this is not responsive to the question. This may be a good reason > to record what fd 0 is connected to when the app was started, but it's > not clear to me why this is a good reason to audit the fd on every call > to read(). Ah. On a system which has been running for a year, the audit record which contains that information may be contained only on a tape in a salt mine a thousand miles away. A good audit record needs to contain enough information to be useful without resorting to backtracking through terabytes of history information. It is also true that while stdin, stdout, and stderr are often the most interesting and abusable fds, they are not the only ones. -- Casey Schaufler Manager, Trust Technology, SGI caseyat_private voice: 650.933.1634 casey_pat_private Pager: 888.220.0607 _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 10:22:28 PDT