audit-0.6.12 released
Klaus Weidner
klaus at atsec.com
Wed Apr 20 22:20:45 UTC 2005
On Wed, Apr 20, 2005 at 05:51:26PM -0400, Steve Grubb wrote:
> This release features a new program autrace. It works similar to strace. You
> give it a program to execute with parameters and it: clears the audit rules,
> generates a rule to audit all syscalls for that program, and executes the
> program. When the program ends, it clears the rules.
Hmm, that sounds rather destructive for a harmless-sounding utility. So
if an admin uses autrace to debug something, that has the side effect of
switching off audit for the entire system?
I would suggest that autrace shouldn't clear out audit rules (except
maybe when run with a --destroy-all-audit-rules switch?), and refuses to
run if audit rules are already installed, to avoid security problems for
sites depending on audit. The admin would need to explicitly clear audit
rules first before using the tool. On a system not using audit, the rule
list would be empty, so it would work as expected.
-Klaus
More information about the Linux-audit
mailing list