[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit audtid's syscall?



On Thu, 03 Feb 2005 11:08:08 EST, Avishay Traeger said:

> PID=`ps x | grep auditd | grep -v grep | cut -c 2-5`

> /sbin/auditctl -a entry,always -S all -F pid!=$PID || exit3

This will, under some conditions, allow an attacker a "free lunch" just by
calling his process something with 'auditd' in it.  You really need to check
against what process is actually doing the auditd function (i.e. is it listening
to the netlink?)

The 'cut -c 2-5' will bork if auditd gets a process ID over 9999. '-c 1-6' or
awk '{print $1}' might be better....

Also, you can save a fork/exec like this:

PID=`ps x | grep 'aud[i]td' | -c 1-5`

(Think carefully about how grep applies the regexp when it finds itself...)

Attachment: pgp00000.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]