Re: The disappearing sys_call_table export.

Chuck Ebbert (76306.1226@compuserve.com)
Fri, 16 May 2003 12:15:21 -0400


Mike Touloumtzis wrote:

> No Unix (even a "secure" one) is designed to run all security-critical
> code in the kernel. That would be a bad design anyway, since it would
> run lots of code at an unwarranted privilege level. "login" is not
> part of the kernel. "su" is not part of the kernel".

Yes, but "elsewhere" I can audit the system and see which programs
and subsystems are authorized to logon users and the authentication
methods they can use. Note that the below output is not from some
"security enhanced" or "server" version of the OS but rather from
a $179 upgrade I bought at the local Staples store:

2003-05-16 05:06:25 Security Success Audit System Event 515 NT AUTHORITY\SYSTEM
"A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.
Logon Process Name: Protected Storage Service "

2003-05-16 05:06:24 Security Success Audit System Event 515 NT AUTHORITY\SYSTEM
"A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.
Logon Process Name: LAN Manager Workstation Service "

2003-05-16 05:06:17 Security Success Audit System Event 518 NT AUTHORITY\SYSTEM
"An notification package has been loaded by the Security Account Manager.
This package will be notified of any account or password changes.
Notification Package Name: scecli "

2003-05-16 05:06:17 Security Success Audit System Event 515 NT AUTHORITY\SYSTEM
"A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.
Logon Process Name: Service Control Manager "

2003-05-16 05:06:17 Security Success Audit System Event 515 NT AUTHORITY\SYSTEM
"A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.
Logon Process Name: Winlogon\MSGina "

2003-05-16 05:06:17 Security Success Audit System Event 515 NT AUTHORITY\SYSTEM
"A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.
Logon Process Name: KSecDD "

2003-05-16 05:06:17 Security Success Audit System Event 514 NT AUTHORITY\SYSTEM
"An authentication package has been loaded by the Local Security Authority.
This authentication package will be used to authenticate logon attempts.
Authentication Package Name: D:\WINNT\system32\msv1_0.dll : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 "

2003-05-16 05:06:17 Security Success Audit System Event 514 NT AUTHORITY\SYSTEM
"An authentication package has been loaded by the Local Security Authority.
This authentication package will be used to authenticate logon attempts.
Authentication Package Name: D:\WINNT\system32\schannel.dll : Microsoft Unified Security Protocol Provider "

2003-05-16 05:06:17 Security Success Audit System Event 514 NT AUTHORITY\SYSTEM
"An authentication package has been loaded by the Local Security Authority.
This authentication package will be used to authenticate logon attempts.
Authentication Package Name: D:\WINNT\system32\msv1_0.dll : NTLM "

2003-05-16 05:06:17 Security Success Audit System Event 514 NT AUTHORITY\SYSTEM
"An authentication package has been loaded by the Local Security Authority.
This authentication package will be used to authenticate logon attempts.
Authentication Package Name: D:\WINNT\system32\kerberos.dll : Kerberos "

2003-05-16 05:06:17 Security Success Audit System Event 514 NT AUTHORITY\SYSTEM
"An authentication package has been loaded by the Local Security Authority.
This authentication package will be used to authenticate logon attempts.
Authentication Package Name: D:\WINNT\system32\LSASRV.dll : Negotiate "

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/