Austin Schutz <tex@gblx.net>:
> On Sun, Apr 16, 2000 at 03:57:01PM -0400, allbery@kf8nh.apk.net wrote:
> > On 16 Apr, Austin Schutz wrote:
> > +-----
> > | I think the whole concept is lacking. If I have EUID 0 I can do
> > |
> > | # echo "+ +" >/root/.rhosts
> > |
> > | ..And now anyone can log in as root with LUID 0. So.. what was gained?
> > +--->8
> >
> > What was gained was that the filesystem auditing code will have logged
> > the fact that you (as identified by your LUID, which will still
> > indicate *you*) made that modification. That's the whole point of
> > LUIDs: to provide a reliable user identity for auditing changes to the
> > system.
> >
> > Once again, LUIDs are not used for authentication or access control.
> > They are used for *secure auditing*.
>
> I'm extremely skeptical that anything, auditing included, could
> be made secure in the case of a compromise, which AFAICT is what you are
> trying to accomplish. What do you do when your auditing tools are rootkitted?
> Once you've dealt with that, what have you gained? You only find out
> when someone does something that is of auditable importance. Imagine the
> case where I compromise an (for example) telnetd. Rather than have it spawn a
> shell I merely have it dump the contents of /etc/shadow to me. Since telnetd
> (or login) gets to read that file anyway you have no way of telling anything
> unusual has happened, even if you are logging.
1. The audit trail would show that you modified telnetd.
2. Nothing says that the audit log is recorded on the same maching that the
events occur on.
3. If the audit monitoring system is examining the events as they arrive then
it would have detected a "potential penetration" at the moment telnetd was
replaced.
4. If the penetrator altered the audit events to try to hide, then the
monitoring system would detect the change in configuration. Or at least
have logged that it occured.
5. All the LUIDs provide is the uid of the user that initiated the event,
however far back the trail the user tried to hide.
> If despite all this it helps Linux gain some needed certification
> I think that's great. But I still think it's a flawed concept.
By itself (without the audit tools) it gains nothing. With the tools and
proper configuration, it provides a lot of information (who, when, from where,
and what).
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil
Any opinions expressed are solely my own.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:11 EST