On Jun 7 2007 21:28, Miloslav Trmac wrote:
>Casey Schaufler napsal(a):
>>> If we do not get commands typed at a prompt, we have to audit by execve.
>> I would suggest that you'll have to do that as well so that you can tell
>> the difference between typed actions like these:
>>
>> # cat > /dev/null
>> badprogram --badthing --everyone
>> ^D
>> #
>>
>> # badprogram --badthing --everyone
>>
>> where the same typed line is a Bad Thing in one case and completely
>> irrelevent in the other.
>The proposed patch audits each process separately, and includes a part
>of the command name in the audit event, so it is easy to distinguish
>between data entered into (cat > /dev/null) and the shell.
>
>The command name can be faked, but the actions necessary to fake the
>command name would be audited.
Someone please enlighten me why a regular keylogger² that captures
both input and output could not do the same. (Auditing what one has done.)
² http://ttyrpld.sf.net (there are others too)
Jan
--
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
