Re: process accounting

From: Mark (mark_at_wwjh.net)
Date: 05/28/03

  • Next message: Avery Buffington: "RE: process accounting"
    To: focus-linux@securityfocus.com
    Date: 28 May 2003 16:14:04 +0100
    

    Now the whole 'cat < /etc/passwd' bit I found intriguing because sure
    enough if you strace the 'cat < /etc/passwd' you don't see any
    sys_open's (makes sense).

    however if you strace the pid of the bash shell you do.

    [pid 8807] open("/etc/passwd", O_RDONLY|O_LARGEFILE) = 3
    [pid 8807] dup2(3, 0) = 0
    [pid 8807] close(3) = 0
    [pid 8807] execve("/bin/cat", ["cat"], [/* 34 vars */]) = 0

    now if you were to be watching what is executing, you flag any opening
    of the /etc/passwd file and then after the duplication of the file
    descriptor you know something is happening.. could you not get around
    the "no logging" issue...

    as later we see the fd, (0) being used for :

    read(0, "root:x:0:0:root:/root"..., 4096)

    may not want to block the calls that are going on, however may want to
    log them on systems that you had a concern on...login however does not
    create the same pattern...

    just my two pennies, and some thinking to do for myself now too!

    -- 
    Mark <mark@wwjh.net>
    

  • Next message: Avery Buffington: "RE: process accounting"

    Relevant Pages