Thanks for the review.
Andrew Morton napsal(a):
> On Wed, 06 Jun 2007 12:10:28 +0200 Miloslav Trmac <[EMAIL PROTECTED]> wrote:
>> +/**
>> + * tty_audit_opening - A TTY is being opened.
>> + *
>> + * As a special hack, tasks that close all their TTYs and open new ones
>> + * are assum
--- Jan Engelhardt <[EMAIL PROTECTED]> wrote:
> Someone please enlighten me why a regular keylogger² that captures
> both input and output could not do the same. (Auditing what one has done.)
1. shell aliases
# innocuous -p 0
2. shell variables
# $INNOCUOUS -p 0
3. symlinks
# ./innocu
On Thu, 07 Jun 2007 16:20:07 +0200
Miloslav Trmac <[EMAIL PROTECTED]> wrote:
> Alan Cox napsal(a):
> >>> + if (filp->f_op->read == tty_read) {
> >>> + disable = 0;
> >>> + break;
> > Why says a tty will always have f->op->read == tty_
On Jun 7 2007 21:28, Miloslav Trmac wrote:
>Casey Schaufler napsal(a):
>>> If we do not get commands typed at a prompt, we have to audit by execve.
>> I would suggest that you'll have to do that as well so that you can tell
>> the difference between typed actions like these:
>>
>> # cat > /dev/n
Casey Schaufler napsal(a):
>> If we do not get commands typed at a prompt, we have to audit by execve.
> I would suggest that you'll have to do that as well so that you can tell
> the difference between typed actions like these:
>
> # cat > /dev/null
> badprogram --badthing --everyone
> ^D
> #
>
--- Steve Grubb <[EMAIL PROTECTED]> wrote:
> Ok, this is a sample set of requirements we are trying to meet:
>
> Implement automated audit trails for all system components to reconstruct the
>
> following events:
> All actions taken by any individual with root or administrative privileges
M
On Thursday 07 June 2007 11:42, Casey Schaufler wrote:
> > tools like rootsh, but that is too easy to detect and defeat. And then it
> > does not put its data into the audit system where its correlated with
> > other system events.
>
> The evaluation teams that I have worked with (OrangeBook and CC
> logging to meet the audit requirements. You have to log what happened.
> Logging what was requested is insufficient and logging what was
> typed, which may or may not have resulted in an actual request is
> not helpful to meeting security audit requirements.
Key information can answer some quest
--- Steve Grubb <[EMAIL PROTECTED]> wrote:
> On Thursday 07 June 2007 04:13:42 Jan Engelhardt wrote:
> > >Add TTY input auditing, used to audit system administrator's actions.
> >
> > _What_ exactly does it audit?
>
> In theory, it should audit the actions performed by the sysadmin. This patch
Alan Cox napsal(a):
>>> + if (filp->f_op->read == tty_read) {
>>> + disable = 0;
>>> + break;
> Why says a tty will always have f->op->read == tty_read ?
AFAICS from tty_io.c, it will always be tty_read or hung_up_tty_read.
Norma
On Thursday 07 June 2007 04:13:42 Jan Engelhardt wrote:
> >Add TTY input auditing, used to audit system administrator's actions.
>
> _What_ exactly does it audit?
In theory, it should audit the actions performed by the sysadmin. This patch
doesn't cover actions done via X windows interface.
> An
> > + if (filp->f_op->read == tty_read) {
> > + disable = 0;
> > + break;
Why says a tty will always have f->op->read == tty_read ?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a mess
On Jun 6 2007 11:49, Miloslav Trmac wrote:
>From: Miloslav Trmac <[EMAIL PROTECTED]>
>
>Add TTY input auditing, used to audit system administrator's actions.
_What_ exactly does it audit?
And why does it only audit sysadmin actions?
Is this supposed to be a keylogger?
>TTY input auditing works o
On Wed, 06 Jun 2007 12:10:28 +0200 Miloslav Trmac <[EMAIL PROTECTED]> wrote:
> From: Miloslav Trmac <[EMAIL PROTECTED]>
>
> Add TTY input auditing, used to audit system administrator's actions.
> TTY input auditing works on a higher level than auditing all system
> calls within the session, which
I'm sorry, I forgot the patch...
From: Miloslav Trmac <[EMAIL PROTECTED]>
Add TTY input auditing, used to audit system administrator's actions.
TTY input auditing works on a higher level than auditing all system
calls within the session, which would produce an overwhelming amount of
mostly useless
15 matches
Mail list logo
