On Mon, 8 May 2000, Jeff Garzik wrote:
> On Mon, 8 May 2000, Piotr Wilkin wrote:
> > On Sun, 7 May 2000, Ron Van Dam wrote:
> > > Well my thought was if you are running syslog on another box you would have
> > > somewhat of a temperproof
> > > system. For instance an intruder compromises root. loads a kernel module to
> > > hide his/her activities. If modules are logged there's one more piece of
> > > evidence that the system has been compromised. Right now (under 2.2 kernels)
> > > I do not see any logs when I load (or remove) modules.
> > >
> > In case anyone else wants module loading/unloading logging, here is the
> > patch against 2.3.99-pre7-6:
> shouldn't modutils do the sysloggin?
I don't think so.
If someone got root on your machine (and thats the point where you exactly
want and need the remote logging), he can bring his own insmod with him,
patched not to log anything.
(I know, he could turn of the logging too, but every step to harden the
security helps - don't make it easy for an intruder)
The Internet treats censorship as a routing problem, and routes around it. (John Gilmore on http://www.cygnus.com/~gnu/)
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to firstname.lastname@example.org Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:12 EST