[PATCH] log all actions by privileged user in bash
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Feb 6 20:15:07 UTC 2007
On Sun, 04 Feb 2007 19:54:25 EST, Steve Grubb said:
> Hi,
> execute_command (current_command);
> +#if defined (AUDIT_SHELL)
> + {
> + extern char *shell_input_line;
> + audit (shell_input_line, last_command_exit_value);
> + }
> +#endif
Umm.. audit *before* exec, in case the command is 'nuke_audit --force'? ;)
For the rest, feel free to clue-by-four me if I'm talking out some orifice
other than my mouth.. ;)
It's not clear that this can't be bypassed by (for instance), doing
something evil like this:
PS1="Normal prompt except for `exec_evilness_here`"
Looks like the shell completion could be fun too:
edit-and-execute-command (C-xC-e)
Invoke an editor on the current command line, and execute the
result as shell commands. Bash attempts to invoke $FCEDIT,
$EDITOR, and emacs as the editor, in that order.
(I haven't checked the source - the execute_command() function may in fact
get called for these cases. If so, you probably need to document that some
output may be created even if the user isn't actually submitting a command,
so care needs to be used when correlating to actual terminal activity).
And given that 'cat > /tmp/evil; chmod +x /tmp/evil; /tmp/evil' and
'evilscript | /bin/sh' will work, about all this audit trail will show is
that *something* unusual happened - an attacker wouldn't have much trouble
disguising exactly *what* was done....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070206/c65ef185/attachment.sig>
More information about the Linux-audit
mailing list