* Daniel Souza ([EMAIL PROTECTED]) wrote: > No, I was tracking file creations/modifications/attemps of > access/directory creations|modifications/file movings/program > executions with some filter exceptions (avoid logging library loads by > ldd to preserve disk space). > > It was a little module that logs file changes and program executions > to syslog (showing owner,pid,ppid,process name, return of > operation,etc), that, used with remote syslog logging to a 'strictly > secure' machine (just receive logs), keep security logs of everything > (like, it was possible to see apache running commands as "ls -la /" or > "ps aux", that, in fact, were signs of intrusion of try of intrusion, > because it's not a usual behavior of httpd. Maybe anyone exploited a > php page to execute arbitrary scripts...)
This is what the audit subsystem is working towards. Full tracking isn't quite there yet, but getting closer. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
