It's ok and thanks, I know I can also come across as terse/dickish sometimes. My profile is intentionally vague just because I prefer being anonymous (this is my 5th or 6th profile on here).
I worked in infosec (on all 3 sides, if you know what I mean) from the mid to late 90s, and then became disillusioned with the entire industry and left for greener pastures. I still attempt to keep on top of things (and have done the odd contract job here and there) but I am not all that up with everything going on.
Wrt the topic, what you are saying is that even with my /bin/sh running in the context of whoever sshd or ftpd are running as, by the time I figure out a local escalation, by then the activity on that shell has already been sent to another machine and onto your phone etc?
That was, of course, hyperbole (about blowing up my phone) however on certain very sensitive systems I do have a kernel module that provides a wrapper to execve() and that goes directly to a remote logging server and gets replicated. Yes, it's fucking noisy, but storage is cheap and databases are searchable.
As you well know, a careful individual can evade it if they know it's there, but the initial prodding would get logged.
I worked in infosec (on all 3 sides, if you know what I mean) from the mid to late 90s, and then became disillusioned with the entire industry and left for greener pastures. I still attempt to keep on top of things (and have done the odd contract job here and there) but I am not all that up with everything going on.
Wrt the topic, what you are saying is that even with my /bin/sh running in the context of whoever sshd or ftpd are running as, by the time I figure out a local escalation, by then the activity on that shell has already been sent to another machine and onto your phone etc?