Category Archives: Security

Replacing WinRing0 in Fan Control with PawnIO

2 Replies

Fan Control (also known as FanControl) is a great application going through some pains right now due to its reliance on the WinRing0 driver (written by hiyohiyo of CrystalDiskMark fame) which was created as a workaround to give developers an easy way to directly manage various things normally limited to a privileged layer called ring 0 on a system. It’s a long known issue that WinRing0 is actually a dangerous tool that opens huge holes in your OS security, but minimal effort had been put in to do anything about it. Even big vendors like Razer and Steelseries relied on it. Well, Microsoft Defender has finally stopped turning a blind eye and now flags it as malicious for most users.

Enter PawnIO. This is a new, signed driver capable of running arbitrary bytecode in ring 0…but with some checks and balances in place. It’s being developed to satisfy the needs of the opensource community to somehow safely have drivers in ring 0 without jumping through some of Microsoft’s hoops which are insurmountable for many developers. Anyways, the details of that are better explained by someone else.

Right now you have four options:

Continue reading

Enabling pam_tty_audit on RHEL, CentOS, or Scientific Linux 6

Leave a reply

aureport output

If you have plans to make use of the audit system in RHEL and its clones, you may decide to use pam_tty_audit. A lot of the top hits on Google will recommend enabling the module in /etc/pam.d/system-auth-ac, but because of changes related to having better support for HIDs like fingerprint scanners, it should actually exist in /etc/pam.d/password-auth-ac, which is included by /etc/pam.d/sshd and others. One other complaint is that it logs passwords, but a patch was implemented in an update to RHEL 6 to address this.

Add the following line to the end of /etc/pam.d/password-auth-ac to enable keystroke logging for all users on a default RHEL, CentOS or Scientific Linux 6 server:

session     required      pam_tty_audit.so enable=*

The raw audit log can then be viewed at /var/log/audit/audit.log (which includes other audit events) or output in a somewhat friendlier format using aureport as root.

aureport --tty -ts today

The audit system caches based on settings in /etc/audit/auditd.conf, so it could take some time before you see audit logs for user activity. Check its man page for further information