After the successful presentation of his research results at the OWASP Stammtisch in Frankfurt with 75 participants, Felix Kosterhon (SECUINFRA) will now also talk about the investigation of Linux Audit Framework vulnerabilities at the IT-Security-Meetup Kassel on Wednesday, September 15, 2021 starting at 18:00.
Take the chance and attend the talk for free – secure your credentials HERE.
Felix will present some results of his research on Linux Audit Framework (auditd), which provides a powerful framework for monitoring system and user activity.
The Linux Audit System (auditd) – curse and blessing
Few logging systems on Linux offer monitoring as comprehensive as auditd. By specifying rules, individual system calls (syscalls) can be monitored in a fine-grained way depending on their arguments and calling programs/users. Apart from a technical basic understanding this kind of the monitoring is based on the covering of all relevant system calls. Since in the Linux operating system under circumstances the same action can be achieved with different system calls, already a single unmonitored system call can be sufficient for an attacker to manipulate a system undetected and to collect information. How quickly such a “small” mistake can happen can be seen in the current Auditd vulnerability with CVE XXXX, where the developers themselves overlooked a system call. In his presentation, Felix will show the strengths and weaknesses of the Linux audit system, including the discovery process and the background of the auditd vulnerabilities.
