Re: [PATCH 4/5] audit: add netlink multicast group for log read
On 14/03/12, Steve Grubb wrote:
On Wednesday, March 12, 2014 09:18:14 AM Eric Paris wrote:
> On Wed, 2014-03-12 at 08:55 -0400, Steve Grubb wrote:
> > On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs wrote:
> > > Add a netlink multicast socket with one group to kaudit for
> > > "best-effort"
> > > delivery to read-only userspace clients such as systemd, in addition to
> > > the
> > > existing bidirectional unicast auditd userspace client.
> >
> > One question...we do have to have the ability to separate of secadm_r and
> > sysadm_r. By allowing this we will leak to a sysadmin that he is being
> > audited by the security officer. In a lot of cases, they are one in the
> > same person. But for others, they are not. I have a feeling this will
> > cause problems for MLS systems.
At first I had no idea what you were talking about but Eric's reply
helps to understand the context.
> A good question. But easily solved in policy. Don't give
> CAP_AUDIT_READ to sysadm_t if you don't want sysadm_t to be able to read
> from the multicast socket.
This seems like an easy one.
That also means that we probably want an audit event for any
successful and
unsuccessful attempts to connect for _reading_ audit events.
That could easily be added to the new custom netlink bind function.
-Steve
> As to what others who read from the journal I guess we can just make
> sure it is a config option whether to collect or not. Most everyone
> would want to collect, but some configs might obviously not.
This would be easy to add as a "feature", I'm guessing...
> I'll roll around in the back of my head the ability for
auditctl to
> disable the multicasting, but CAP_AUDIT_READ takes care of that a whole
> lot more nicely...
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545