Re: [PATCH] Audit: Add TTY input auditing

From: Jan Engelhardt
Date: Thu Jun 07 2007 - 17:10:00 EST

Next message: Jared Hulbert: "Re: [PATCH 2.6.21] cramfs: add cramfs Linear XIP"
Previous message: Linus Torvalds: "Re: [patch 7/8] fdmap v2 - implement sys_socket2"
In reply to: Miloslav Trmac: "Re: [PATCH] Audit: Add TTY input auditing"
Next in thread: Casey Schaufler: "Re: [PATCH] Audit: Add TTY input auditing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jun 7 2007 21:28, Miloslav Trmac wrote:
>Casey Schaufler napsal(a):
>>> If we do not get commands typed at a prompt, we have to audit by execve.
>> I would suggest that you'll have to do that as well so that you can tell
>> the difference between typed actions like these:
>>
>> # cat > /dev/null
>> badprogram --badthing --everyone
>> ^D
>> #
>>
>> # badprogram --badthing --everyone
>>
>> where the same typed line is a Bad Thing in one case and completely
>> irrelevent in the other.
>The proposed patch audits each process separately, and includes a part
>of the command name in the audit event, so it is easy to distinguish
>between data entered into (cat > /dev/null) and the shell.
>
>The command name can be faked, but the actions necessary to fake the
>command name would be audited.

Someone please enlighten me why a regular keyloggerÂ that captures
both input and output could not do the same. (Auditing what one has done.)

Â http://ttyrpld.sf.net (there are others too)

Jan
--

Next message: Jared Hulbert: "Re: [PATCH 2.6.21] cramfs: add cramfs Linear XIP"
Previous message: Linus Torvalds: "Re: [patch 7/8] fdmap v2 - implement sys_socket2"
In reply to: Miloslav Trmac: "Re: [PATCH] Audit: Add TTY input auditing"
Next in thread: Casey Schaufler: "Re: [PATCH] Audit: Add TTY input auditing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]