Austin Schutz wrote:
> > 1. The audit trail would show that you modified telnetd.
>
> No, because I didn't modify it. I found a buffer overrun and exploited
> it (or I exploited BIND, or sendmail, etc...) and never modified anything.
--- But let's say we configured init to set_luid(daemon). All of a sudden we see user 'daemon' starting a shell. *red flag*. In fact, if you had an event deamon monitoring the audit log, I could see it shutting down that process in under 1 second, for example.> As long as the machine has not been compromised, I agree. But it > should not give one a false sense of being more secure. --- No it's only designed to measure that a security breach occurred and what the intruder did. No *increase* of security -- that's why it is called "auditing". If you want a security increase, the wait until the Labeled Security Protection Profile (LSPP) is applied to a Linux target. That would provide serious ammo to defending a system. Adding MAC and least priviledge, file-based capabilities, and non executable stack and you have something a bit more tedious to break into. Considering 'root' access may mean nothing and there may be no user on the system that has all Capabilities. Root can be configured to only be able to access certain files, daemons could be configured to only be able to access the files they are supposed to, etc. Would really rain on a cracker's parade. Probably the best they could do would be to bring down the system (like the DoS attacks). Annoying, but not security defeating.
Imagine the credit card database so that neither root nor http could access it except through a secured program that neither could write to, etc. Great fun... -l
-- Linda Walsh @ SGI | Core Linux - Trust Technology 1200 Crittenden Lane MS:30-3-802 | Voice: (650) 933-5338 Mountain View, CA 94043 | Email: law@sgi.com
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:12 EST