[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auditd not triggering ANOM_ROOT_TRANS record



Hey William
exploit is run as a normal user and privilege escalates to a root shell

On Tue, 25 Oct 2016 at 15:09 William Roberts <bill c roberts gmail com> wrote:

On Oct 25, 2016 05:12, "teroz" <terence namusonge gmail com> wrote:
>
> I used one of the dirtycow root exploits on Fedora24 configured with 30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the best way to trivially audit for a successful privilege escalation?
>

I would imagine that if it's hijacking an already root or setuid binary, you won't see anything. As far as that record goes, I have no idea, I'll let an auditing expert answer that question.
>
>
>


>
> --
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]