> > Once you've dealt with that, what have you gained? You only find out
> > when someone does something that is of auditable importance. Imagine the
> > case where I compromise an (for example) telnetd. Rather than have it spawn a
> > shell I merely have it dump the contents of /etc/shadow to me. Since telnetd
> > (or login) gets to read that file anyway you have no way of telling anything
> > unusual has happened, even if you are logging.
>
> 1. The audit trail would show that you modified telnetd.
No, because I didn't modify it. I found a buffer overrun and exploited
it (or I exploited BIND, or sendmail, etc...) and never modified anything.
> 2. Nothing says that the audit log is recorded on the same maching that the
> events occur on.
> 3. If the audit monitoring system is examining the events as they arrive then
> it would have detected a "potential penetration" at the moment telnetd was
> replaced.
telnetd was never replaced.
> 4. If the penetrator altered the audit events to try to hide, then the
> monitoring system would detect the change in configuration. Or at least
> have logged that it occured.
> 5. All the LUIDs provide is the uid of the user that initiated the event,
> however far back the trail the user tried to hide.
>
As long as the machine has not been compromised, I agree. But it
should not give one a false sense of being more secure.
Austin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:12 EST