[RFC] linux-2.6.10-auditfs-tc1.patch
Chris Wright
chrisw at osdl.org
Fri Jan 21 19:49:27 UTC 2005
* Klaus Weidner (klaus at atsec.com) wrote:
> This type of thing is not a concern for CAPP and LSPP, since
> administrators are still assumed to be trustworthy, and ordinary users
> can't do that kind of thing. I'm not convinced that it's a real concern
> in practical use either - an audit subsystem that could cope with
> malicious administrators reliably would need to be designed differently.
Yes, that's the same conversation I was having with Tim. That will take
any mount issues off the table, as they are identical.
> I guess it would be possible to set up a watch list on "/" to monitor
> renames/recreation of /etc though, which would at least give admins the
> chance to notice this kind of thing happening.
Right, that's what I meant by watching the whole tree.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list