Session recording
Ben Scott
dragonhawk at gmail.com
Mon Mar 31 15:39:55 EDT 2008
On Mon, Mar 31, 2008 at 3:09 PM, Kenny Lussier <klussier at gmail.com> wrote:
> As you pointed out, there are a lot of ways
> around these things, such as executing a script that executes a bunch
> of commands.
Also in that vein: Programs like vim or emacs, which allow one
execute arbitrary commands (without a shell) from inside them. Moving
beyond that, there's all sorts of things one can do using an
interactive program (emacs, vi, mc, Perl, FTP, whatever) which don't
even involve reading a script file from disk. Those might be
legitimate actions, or nefarious ones.
But I was thinking of something even more insidious than that -- the
shell runs under the user's account, and is thus ultimately under the
user's control. The kernel does a pretty good job of keeping users
from trampling on processes they don't own. A users own processes are
generally far more vulnerable. So ideally, you want the logging done
by something completely outside the user's control -- the kernel
itself, or a process running under a different uid.
> I'm not sure about SELinux yet.
Me neither. :) I know one goal of the project is/was to enable
auditing of this sort, but I don't know if it has been realized.
-- Ben
More information about the gnhlug-discuss
mailing list