[ale] Auditing root shells

James P. Kinney III jkinney at localnetsolutions.com
Mon Sep 19 12:14:49 EDT 2005


On Mon, 2005-09-19 at 11:16 -0400, Christopher Fowler wrote:
> On Mon, 2005-09-19 at 10:18 -0400, James P. Kinney III wrote:
> > Serial console is an excellent idea. I now recall from "The Cuckoos
> > Egg"
> > the use of a serial console split on the wire to a line printer that
> > was
> > used to capture the command during a breaking.
> 
> I think the problem with capturing output via a wire is that you can
> only monitor Tx on either the device or user.  A console management
> device sits between the user and the server capturing all output.

Both Tx and Rx can be logged. They would each require a separate logging
port (i.e. dual serial port line printer)
> 
> Plus its more economical than having a printer for each server.

Absolutely. There was a brief mention of an incident where the needed
data in "cuckoos egg" was lost because the printer ran out of paper.
> 
> 

One thing that just ran through my mind was the potential for system
abuse with remote logging. If an attacker knows about the layout of the
logging network, it would be possible to flood the logging machine with
bogus "issues" from hosts not under the main attack. This would obscure
the real log entry of nefarious events. It could also cause data loss on
the logger if the load were high enough for the buffers to get flushed
by excessively long log entries (^P^Q, etc) coming in from multiple
machines.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list