Re: LSM Documentation and/or examples

From: Mark Bainter (mbainter@private)
Date: Fri Oct 28 2005 - 16:03:59 PDT

Previous message: Mark Bainter: "Re: LSM Documentation and/or examples"
In reply to: Valdis.Kletnieks@private: "Re: LSM Documentation and/or examples"
Next in thread: Kristian Sørensen: "Re: LSM Documentation and/or examples"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Fri, 28 Oct 2005 11:04 am, Valdis.Kletnieks@private wrote:

> Subtle distinction you might need to be aware of - is the requirement 
> to log
> all processes that run as root, or to log actual commands entered while 
> logged
> in as (or su'ed to) root?

Primarily all commands while logged in as root.  I recognize this isn't 
complete, but I'm in a bit of a crunch and need a solution asap, so I'm 
willing to risk missing a couple of things.

This isn't to catch an intruder or anything, rather to keep an eye on a 
bad situation without a major political bruhaha.

Though if it was useful I would've tried to flesh it out mote for others 
who wanted a similar tool.

> There haven't been any *logins* as root on my laptop since 4AM when the 
> accounting
> file got rolled over - but 'lastcomm | grep root | wc' returns a number 
> well over
> 1,200.  Similarly, if somebody is logged in as root, and does something 
> like
> 'cd /usr/src/linux-2.6.14; make clean; make' that could be 50K or more 
> processes
> launched by the 'make'.
>
> "log all processes run as root" is probably best addressed via 
> auditd/auditctl.
> Bonus points if you can figure out why somebody on the list will 
> probably point out
> that "log all commands entered" doesn't paint an accurate story either 
> - but two
> hints are (a) most editors can cause multiple modes of mischief and (b) 
> the first
> tool *I*'d think of using here would be Sebek - 3.0 recently came out, 
> and it's
> apparently been fixed up to support the 2.6 kernel (previous sebek 
> versions hijacked
> an entry in the syscall table, a no-no under 2.6)

I avent heard of sebek either, ill take a look at that too.  These sound 
like they'd both be faster and more reliable than some rapidly thrown 
out code.

I'm aware of it not pointing an accurate story.  Both due to editors and 
their ability to edit new files from inside without a new command and 
the ability of processes to start other processes that won't be caught 
by this hook.

I figured I'd have to do some task intercepting too.  However, it sounds 
like this wheel has already been done, and almost guaranteed better than 
I'd do it.  ;-)  so I'll read up on that.

Previous message: Mark Bainter: "Re: LSM Documentation and/or examples"
In reply to: Valdis.Kletnieks@private: "Re: LSM Documentation and/or examples"
Next in thread: Kristian Sørensen: "Re: LSM Documentation and/or examples"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Oct 28 2005 - 16:04:30 PDT