Re: [PATCH] Audit: Add TTY input auditing

From: Casey Schaufler
Date: Thu Jun 07 2007 - 18:32:25 EST

Next message: Daniel Hazelton: "Re: [PATCH] intel-rng: Undo mess made by an 80 column extremist"
Previous message: S.ÃaÄlar Onur: "Re: [patch] CFS scheduler, -v14"
In reply to: Jan Engelhardt: "Re: [PATCH] Audit: Add TTY input auditing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--- Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> wrote:

> Someone please enlighten me why a regular keylogger² that captures
> both input and output could not do the same. (Auditing what one has done.)

1. shell aliases
# innocuous -p 0
2. shell variables
# $INNOCUOUS -p 0
3. symlinks
# ./innocuous -p 0

Yes, I know there are ways to prevent each of these "attacks",
but it's surprising how often simple textual changes are effective
in hiding behavior.

Casey Schaufler
casey@xxxxxxxxxxxxxxxx
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Daniel Hazelton: "Re: [PATCH] intel-rng: Undo mess made by an 80 column extremist"
Previous message: S.ÃaÄlar Onur: "Re: [patch] CFS scheduler, -v14"
In reply to: Jan Engelhardt: "Re: [PATCH] Audit: Add TTY input auditing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]