[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit audtid's syscall?



Well I wasn't worried about security risks because I was using it for a
personal study, but yes, definitely a "free lunch".  Also, thanks for
the bash scripting corrections! :)

Avishay Traeger

On Thu, 2005-02-03 at 12:24 -0500, Valdis Kletnieks vt edu wrote:
> On Thu, 03 Feb 2005 11:08:08 EST, Avishay Traeger said:
> 
> > PID=`ps x | grep auditd | grep -v grep | cut -c 2-5`
> 
> > /sbin/auditctl -a entry,always -S all -F pid!=$PID || exit3
> 
> This will, under some conditions, allow an attacker a "free lunch" just by
> calling his process something with 'auditd' in it.  You really need to check
> against what process is actually doing the auditd function (i.e. is it listening
> to the netlink?)
> 
> The 'cut -c 2-5' will bork if auditd gets a process ID over 9999. '-c 1-6' or
> awk '{print $1}' might be better....
> 
> Also, you can save a fork/exec like this:
> 
> PID=`ps x | grep 'aud[i]td' | -c 1-5`
> 
> (Think carefully about how grep applies the regexp when it finds itself...)
> --
> Linux-audit mailing list
> Linux-audit redhat com
> http://www.redhat.com/mailman/listinfo/linux-audit



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]