[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC] linux-2.6.10-auditfs-tc1.patch

* Klaus Weidner (klaus atsec com) wrote:
> This type of thing is not a concern for CAPP and LSPP, since
> administrators are still assumed to be trustworthy, and ordinary users
> can't do that kind of thing. I'm not convinced that it's a real concern
> in practical use either - an audit subsystem that could cope with
> malicious administrators reliably would need to be designed differently.

Yes, that's the same conversation I was having with Tim.  That will take
any mount issues off the table, as they are identical.

> I guess it would be possible to set up a watch list on "/" to monitor
> renames/recreation of /etc though, which would at least give admins the
> chance to notice this kind of thing happening.

Right, that's what I meant by watching the whole tree.

Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]