[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC] linux-2.6.10-auditfs-tc1.patch

On Fri, Jan 21, 2005 at 10:29:47AM -0800, Chris Wright wrote:
> Now for updates, I think you'll need to keep watch of the whole tree,
> mount issues aside.  For example, I believe that right now the following
> could fall off of the radar:
> # mv /etc /tmp
> # mkdir /etc
> # cp /tmp/evil_shadow /etc/shadow
> I think this would kill /etc dir watchpoints, and /etc/shadow would no
> longer be watched, while /tmp/etc/shadow is diligently watched.

This type of thing is not a concern for CAPP and LSPP, since
administrators are still assumed to be trustworthy, and ordinary users
can't do that kind of thing. I'm not convinced that it's a real concern
in practical use either - an audit subsystem that could cope with
malicious administrators reliably would need to be designed differently.

I guess it would be possible to set up a watch list on "/" to monitor
renames/recreation of /etc though, which would at least give admins the
chance to notice this kind of thing happening.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]