| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0706072305380.1370@fbirervta.pbzchgretzou.qr> Date: Thu, 7 Jun 2007 23:09:48 +0200 (CEST) From: Jan Engelhardt <jengelh@...putergmbh.de> To: Miloslav Trmac <mitr@...hat.com> cc: casey@...aufler-ca.com, Steve Grubb <sgrubb@...hat.com>, dwmw2@...radead.org, linux-kernel@...r.kernel.org, Alan Cox <alan@...hat.com>, Alexander Viro <aviro@...hat.com> Subject: Re: [PATCH] Audit: Add TTY input auditing On Jun 7 2007 21:28, Miloslav Trmac wrote: >Casey Schaufler napsal(a): >>> If we do not get commands typed at a prompt, we have to audit by execve. >> I would suggest that you'll have to do that as well so that you can tell >> the difference between typed actions like these: >> >> # cat > /dev/null >> badprogram --badthing --everyone >> ^D >> # >> >> # badprogram --badthing --everyone >> >> where the same typed line is a Bad Thing in one case and completely >> irrelevent in the other. >The proposed patch audits each process separately, and includes a part >of the command name in the audit event, so it is easy to distinguish >between data entered into (cat > /dev/null) and the shell. > >The command name can be faked, but the actions necessary to fake the >command name would be audited. Someone please enlighten me why a regular keylogger² that captures both input and output could not do the same. (Auditing what one has done.) ² http://ttyrpld.sf.net (there are others too) Jan --
Powered by blists - more mailing lists