auditing activity where uid==0

Steve Grubb sgrubb at redhat.com
Fri Dec 4 14:35:23 UTC 2009 

On Friday 04 December 2009 06:08:42 am Trevor Vaughan wrote:
> >> I'm getting lots of extraneous chatter from sshd, automount, and cron,
> >> all of which are from tty=(none), but I'm not sure it's possible to
> >> filter on tty...
> 
> It's not as far as I could find, though this would be an awesome
> feature.  Basically, the ability to say, tty!=none.

This can be easily subverted by an attacker. Open af_unix socket, pass 
descriptor, do not read it, close stdin - stdout and do evil work, then read 
socket and use tty input/output again.

> > The way that we suggest auditing the actions of a root user is by using
> > the tty audit capability. This is a little more specific about what is
> > really happening. For example, someone could start a python shell and
> > start issuing commands. If you audit by execve, then all you see is
> > python start up and then you see nothing else. Also, bash can do
> > networking. Its possible to transfer files using bash primitives that you
> > won't pick up by auditing execve syscalls. Awk is also network aware...
> 
> One thing to note about the tty audit capability is that it is a forward
> processing logger, not an echo logger.

I prefer to call it a keystroke logger because it gets all of them.

> This means that it will capture passwords that you type in at the command
> line even if they are not echoed.

True and they are protected by needing root level access to get at them. 
Anyone that has root access can install a rootkit to grab passwords just as 
easily. If the concern is that these could be stored and looked at by anyone 
with access to the backed up logs, then use gpg to encrypt the files.

> You may want to look at something like sudosh or the like which are echo
> loggers and will not collect anything that is hidden from the terminal.

Those are easily subverted, though.

>  This presents it's own problems, but at least won't grab sensitive
> passwords in general.

All protection profiles state that root is trusted. There are at least 20 
covert channels I can think of that would let an evil admin get a user's 
private keys/data or credentials.

-Steve

More information about the Linux-audit mailing list