[RFC] linux-2.6.10-auditfs-tc1.patch

Chris Wright chrisw at osdl.org
Fri Jan 21 19:49:27 UTC 2005


* Klaus Weidner (klaus at atsec.com) wrote:
> This type of thing is not a concern for CAPP and LSPP, since
> administrators are still assumed to be trustworthy, and ordinary users
> can't do that kind of thing. I'm not convinced that it's a real concern
> in practical use either - an audit subsystem that could cope with
> malicious administrators reliably would need to be designed differently.

Yes, that's the same conversation I was having with Tim.  That will take
any mount issues off the table, as they are identical.

> I guess it would be possible to set up a watch list on "/" to monitor
> renames/recreation of /etc though, which would at least give admins the
> chance to notice this kind of thing happening.

Right, that's what I meant by watching the whole tree.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net




More information about the Linux-audit mailing list