1

Looks like pam_tty_audit in Linux (http://www.slashzero.com/2009/11/shell-session-logging/) could have been a great way to help figure out "what happened!" when one gets rooted.

I say "could have been" because the rootkits do clean logs and kill remote logging before they do anything else.

Say I know that some of my OpenVZ containers get rooted and I trust that my OpenVZ hardware root did not. Could I have audited from the OpenVZ hardware node on all the TTYs of the containers?

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
Aleksandr Levchuk
  • 2,465
  • 3
  • 22
  • 41

1 Answers1

1

Instead of catching audit logs with auditd, you can configure syslog on the OpenVZ VE to send all logs to a remote server (which could be the OpenVZ HN itself, for example). Thus, all audit events would be safe from a VE compromise.

I'm marking this answer as wiki in case somebody wants to provide further details.

joechip
  • 668
  • 3
  • 6
  • I agree. Thank you. I now have 2 more points: (1) The HN has direct access to the TTYs; (2) It would be easier to for the adversary to kill remote logging than to avoid TTYs. I edited my question to reflect your input. – Aleksandr Levchuk Aug 03 '11 at 07:11
  • As a side note, keep in mind it is not necessary to use a TTY for hacking. A vulnerable service could be used to establish a C&C channel for the attacker without a single blip on TTYs. – joechip Aug 03 '11 at 14:51