Re: virtual terminal dump

From: Hal Flynn (flynn@securityfocus.com)
Date: 10/24/01


Date: Wed, 24 Oct 2001 13:47:00 -0600 (MDT)
From: Hal Flynn <flynn@securityfocus.com>
To: <focus-linux@securityfocus.com>
Subject: Re: virtual terminal dump
Message-ID: <Pine.GSO.4.30.0110241340330.3320-100000@mail>


> While there is much to be said for not giving accounts to untrusted
> users, this is a fact of life, and some people like to mitigate their
> risks by seeing what their computer is being used for. And, in that
> case, I might suggest several possibilities:
>
> * BSD process accounting
> * kernel-level auditing of another variety

Even so, you still run into the chicken-and-egg debate. If the data is
logged on the system, it can be altered on the system as well (if it's
rooted). This is one of the reasons I like rootkits; while many frown on
these utilities as bad, I see them as a double-edged sword.

If you're logging user activity on the system, you either have to hope the
use isn't smart enough to know they're being logged, or that you've hidden
the logging facilities well enough to prevent the user from finding them.

Thus, a rootkit, or kernel module that hides the activity of such software
is immportant in this context. If the system is rooted, the user can
easily alter the logs to remove any incriminating entries.

My grep "0.02" DOLLAR > ADVICE

Hal Flynn
UNIX Focus Area Manager
SecurityFocus

"Semper Fidelis"