[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Handling disk full & No Kernel resources



On Wednesday 05 January 2005 18:49, Casey Schaufler wrote:
> inetd (or xinetd if you're living in the 21st
> century) must set the audit flags for the child
> process it spawns, as well as the audit user id.

What flags? Can you give me a concrete example? All xinetd children share the 
same session ID unless they set their own. I don't know of any program that 
sets its own that is xinetd friendly. Therefore, you can track items of 
interest by being able to audit based on the session ID or process group ID.

> xinetd invokes a child to perform an action on a
> user's behalf, which means that the action must be
> audited as that user is audited.

Only sometimes. For example, you could have a daytime service and the user 
requesting time isn't known because ident isn't running on the other end. 
Now, if you have telnet, ssh, or ftp being started by xinetd, the child will 
know who the user is (since they had to say who they are and provide a 
password) and if you are using a pamified version, the pam_audit module can 
set the login id. But to be able to track *any* xinetd child, you need to 
follow the session ID or process group ID. This is missing from the current 
implementation.

-Steve Grubb


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]