Thanks for the review.
Andrew Morton napsal(a):
> On Wed, 06 Jun 2007 12:10:28 +0200 Miloslav Trmac <[EMAIL PROTECTED]> wrote:
>> +/**
>> + * tty_audit_opening - A TTY is being opened.
>> + *
>> + * As a special hack, tasks that close all their TTYs and open new ones
>> + * are
--- Jan Engelhardt <[EMAIL PROTECTED]> wrote:
> Someone please enlighten me why a regular keylogger² that captures
> both input and output could not do the same. (Auditing what one has done.)
1. shell aliases
# innocuous -p 0
2. shell variables
# $INNOCUOUS -p 0
3. symlinks
#
On Thu, 07 Jun 2007 16:20:07 +0200
Miloslav Trmac <[EMAIL PROTECTED]> wrote:
> Alan Cox napsal(a):
> >>> + if (filp->f_op->read == tty_read) {
> >>> + disable = 0;
> >>> + break;
> > Why says a tty will always have f->op->read ==
On Jun 7 2007 21:28, Miloslav Trmac wrote:
>Casey Schaufler napsal(a):
>>> If we do not get commands typed at a prompt, we have to audit by execve.
>> I would suggest that you'll have to do that as well so that you can tell
>> the difference between typed actions like these:
>>
>> # cat >
Casey Schaufler napsal(a):
>> If we do not get commands typed at a prompt, we have to audit by execve.
> I would suggest that you'll have to do that as well so that you can tell
> the difference between typed actions like these:
>
> # cat > /dev/null
> badprogram --badthing --everyone
> ^D
> #
>
--- Steve Grubb <[EMAIL PROTECTED]> wrote:
> Ok, this is a sample set of requirements we are trying to meet:
>
> Implement automated audit trails for all system components to reconstruct the
>
> following events:
> All actions taken by any individual with root or administrative privileges
On Thursday 07 June 2007 11:42, Casey Schaufler wrote:
> > tools like rootsh, but that is too easy to detect and defeat. And then it
> > does not put its data into the audit system where its correlated with
> > other system events.
>
> The evaluation teams that I have worked with (OrangeBook and
> logging to meet the audit requirements. You have to log what happened.
> Logging what was requested is insufficient and logging what was
> typed, which may or may not have resulted in an actual request is
> not helpful to meeting security audit requirements.
Key information can answer some
--- Steve Grubb <[EMAIL PROTECTED]> wrote:
> On Thursday 07 June 2007 04:13:42 Jan Engelhardt wrote:
> > >Add TTY input auditing, used to audit system administrator's actions.
> >
> > _What_ exactly does it audit?
>
> In theory, it should audit the actions performed by the sysadmin. This patch
Alan Cox napsal(a):
>>> + if (filp->f_op->read == tty_read) {
>>> + disable = 0;
>>> + break;
> Why says a tty will always have f->op->read == tty_read ?
AFAICS from tty_io.c, it will always be tty_read or hung_up_tty_read.
On Thursday 07 June 2007 04:13:42 Jan Engelhardt wrote:
> >Add TTY input auditing, used to audit system administrator's actions.
>
> _What_ exactly does it audit?
In theory, it should audit the actions performed by the sysadmin. This patch
doesn't cover actions done via X windows interface.
>
> > + if (filp->f_op->read == tty_read) {
> > + disable = 0;
> > + break;
Why says a tty will always have f->op->read == tty_read ?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a
On Jun 6 2007 11:49, Miloslav Trmac wrote:
>From: Miloslav Trmac <[EMAIL PROTECTED]>
>
>Add TTY input auditing, used to audit system administrator's actions.
_What_ exactly does it audit?
And why does it only audit sysadmin actions?
Is this supposed to be a keylogger?
>TTY input auditing works
Thanks for the review.
Andrew Morton napsal(a):
On Wed, 06 Jun 2007 12:10:28 +0200 Miloslav Trmac [EMAIL PROTECTED] wrote:
+/**
+ * tty_audit_opening - A TTY is being opened.
+ *
+ * As a special hack, tasks that close all their TTYs and open new ones
+ * are assumed to be
On Jun 6 2007 11:49, Miloslav Trmac wrote:
From: Miloslav Trmac [EMAIL PROTECTED]
Add TTY input auditing, used to audit system administrator's actions.
_What_ exactly does it audit?
And why does it only audit sysadmin actions?
Is this supposed to be a keylogger?
TTY input auditing works on a
+ if (filp-f_op-read == tty_read) {
+ disable = 0;
+ break;
Why says a tty will always have f-op-read == tty_read ?
-
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to
On Thursday 07 June 2007 04:13:42 Jan Engelhardt wrote:
Add TTY input auditing, used to audit system administrator's actions.
_What_ exactly does it audit?
In theory, it should audit the actions performed by the sysadmin. This patch
doesn't cover actions done via X windows interface.
And
Alan Cox napsal(a):
+ if (filp-f_op-read == tty_read) {
+ disable = 0;
+ break;
Why says a tty will always have f-op-read == tty_read ?
AFAICS from tty_io.c, it will always be tty_read or hung_up_tty_read.
Normal user
--- Steve Grubb [EMAIL PROTECTED] wrote:
On Thursday 07 June 2007 04:13:42 Jan Engelhardt wrote:
Add TTY input auditing, used to audit system administrator's actions.
_What_ exactly does it audit?
In theory, it should audit the actions performed by the sysadmin. This patch
doesn't
logging to meet the audit requirements. You have to log what happened.
Logging what was requested is insufficient and logging what was
typed, which may or may not have resulted in an actual request is
not helpful to meeting security audit requirements.
Key information can answer some
On Thursday 07 June 2007 11:42, Casey Schaufler wrote:
tools like rootsh, but that is too easy to detect and defeat. And then it
does not put its data into the audit system where its correlated with
other system events.
The evaluation teams that I have worked with (OrangeBook and CC)
as
--- Steve Grubb [EMAIL PROTECTED] wrote:
Ok, this is a sample set of requirements we are trying to meet:
Implement automated audit trails for all system components to reconstruct the
following events:
All actions taken by any individual with root or administrative privileges
My knee
Casey Schaufler napsal(a):
If we do not get commands typed at a prompt, we have to audit by execve.
I would suggest that you'll have to do that as well so that you can tell
the difference between typed actions like these:
# cat /dev/null
badprogram --badthing --everyone
^D
#
#
On Jun 7 2007 21:28, Miloslav Trmac wrote:
Casey Schaufler napsal(a):
If we do not get commands typed at a prompt, we have to audit by execve.
I would suggest that you'll have to do that as well so that you can tell
the difference between typed actions like these:
# cat /dev/null
On Thu, 07 Jun 2007 16:20:07 +0200
Miloslav Trmac [EMAIL PROTECTED] wrote:
Alan Cox napsal(a):
+ if (filp-f_op-read == tty_read) {
+ disable = 0;
+ break;
Why says a tty will always have f-op-read == tty_read ?
AFAICS from
--- Jan Engelhardt [EMAIL PROTECTED] wrote:
Someone please enlighten me why a regular keylogger² that captures
both input and output could not do the same. (Auditing what one has done.)
1. shell aliases
# innocuous -p 0
2. shell variables
# $INNOCUOUS -p 0
3. symlinks
# ./innocuous
On Wed, 06 Jun 2007 12:10:28 +0200 Miloslav Trmac <[EMAIL PROTECTED]> wrote:
> From: Miloslav Trmac <[EMAIL PROTECTED]>
>
> Add TTY input auditing, used to audit system administrator's actions.
> TTY input auditing works on a higher level than auditing all system
> calls within the session,
I'm sorry, I forgot the patch...
From: Miloslav Trmac <[EMAIL PROTECTED]>
Add TTY input auditing, used to audit system administrator's actions.
TTY input auditing works on a higher level than auditing all system
calls within the session, which would produce an overwhelming amount of
mostly
From: Miloslav Trmac <[EMAIL PROTECTED]>
Add TTY input auditing, used to audit system administrator's actions.
TTY input auditing works on a higher level than auditing all system
calls within the session, which would produce an overwhelming amount of
mostly useless audit events.
Add an
From: Miloslav Trmac [EMAIL PROTECTED]
Add TTY input auditing, used to audit system administrator's actions.
TTY input auditing works on a higher level than auditing all system
calls within the session, which would produce an overwhelming amount of
mostly useless audit events.
Add an audit_tty
I'm sorry, I forgot the patch...
From: Miloslav Trmac [EMAIL PROTECTED]
Add TTY input auditing, used to audit system administrator's actions.
TTY input auditing works on a higher level than auditing all system
calls within the session, which would produce an overwhelming amount of
mostly useless
On Wed, 06 Jun 2007 12:10:28 +0200 Miloslav Trmac [EMAIL PROTECTED] wrote:
From: Miloslav Trmac [EMAIL PROTECTED]
Add TTY input auditing, used to audit system administrator's actions.
TTY input auditing works on a higher level than auditing all system
calls within the session, which would
32 matches
Mail list logo