1:12 p.m.
Hi,
I spent my weekend researching this:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160929
I think I have a solution for the original "I can't log in" problem. There
is
a new one, though. It seems that the user space audit messages go to the
screen after login when they don't have an audit daemon running. This leads
to 4 pam state messages immediately on login, messages when you run a trusted
app like passwd, or whenever hwclock runs. This is not desirable.
Looking at the source code in audit.c, kauditd_thread:
printk(KERN_ERR "%s\n", skb->data + NLMSG_SPACE(0));
Do we need the priority level to be that high or should it be either:
1) user adjustable: all messages types same priority
2) only AVC, USER_AVC, & SE_LINUX_ERR get that level - everything else is
LOG_INFO so that syslog can optionally discard the messages
3) both meaning there are 3 knobs: SE Linux has user adjustable priority, file
system and sycall has a user adjustable priority, and everything else has
another.
I think we've overlooked this minor usability issue. It really is ugly when
there's no audit daemon.
-Steve
6:20 p.m.
On Sun, 2005-06-19 at 14:12 -0400, Steve Grubb wrote:
It seems that the user space audit messages go to the
screen after login when they don't have an audit daemon running. This leads
to 4 pam state messages immediately on login, messages when you run a trusted
app like passwd, or whenever hwclock runs. This is not desirable.
We should probably just refrain from passing on user-generated messages
when !audit_enabled. I'll do that in the next build.
--
dwmw2
4:57 p.m.
On Sunday 19 June 2005 19:20, David Woodhouse wrote:
We should probably just refrain from passing on user-generated
messages
when !audit_enabled. I'll do that in the next build.
We still have a minor problem. The new patch for hwclock in util-linux causes
it to put a big nasty audit message on the screen during shutdown.
-Steve
5:56 a.m.
On Wednesday 22 June 2005 02:50, David Woodhouse wrote:
> We still have a minor problem. The new patch for hwclock in
util-linux
> causes it to put a big nasty audit message on the screen during
> shutdown.
Why isn't audit disabled at this point?
Which program would be responsible for disabling the audit system? init?
Also, there are actions that occur on shutdown that SE Linux people need to
see in order to correct policy. So, we can't affect AVC messages including
USER_AVC.
-Steve
6:22 a.m.
On Wed, 2005-06-22 at 06:56 -0400, Steve Grubb wrote:
> Why isn't audit disabled at this point?
Which program would be responsible for disabling the audit system?
init?
I was thinking that either auditd should be running or the audit system
should have been disabled.
Also, there are actions that occur on shutdown that SE Linux people
need to
see in order to correct policy. So, we can't affect AVC messages including
USER_AVC.
So we should exempt USER_AVC messages from the patch which discards user
messages when audit_enabled == 0? I can do that in a new kernel build.
--
dwmw2
6:36 a.m.
On Wednesday 22 June 2005 07:22, David Woodhouse wrote:
> Which program would be responsible for disabling the audit
system?
> init?
I was thinking that either auditd should be running or the audit system
should have been disabled.
hwclock sync is done after auditd is shutdown. auditd doesn't know the system
is going down, "service auditd stop" doesn't really express that. Also,
syslog exits very early in the shutdown, so these really only go to console
screen.
> Also, there are actions that occur on shutdown that SE Linux
people need
> to see in order to correct policy. So, we can't affect AVC messages
> including USER_AVC.
So we should exempt USER_AVC messages from the patch which discards user
messages when audit_enabled == 0? I can do that in a new kernel build.
Yes. USER_AVC and the whole SE Linux message type range can/should be
displayed to console. However, I still wonder if that could be user
configurable. In other words, should user message types have KERN_ERR or
KERN_NOTICE (with the exception of USER_AVC)?
-Steve
6:51 a.m.
On Wed, 2005-06-22 at 07:36 -0400, Steve Grubb wrote:
Yes. USER_AVC and the whole SE Linux message type range can/should be
displayed to console. However, I still wonder if that could be user
configurable. In other words, should user message types have KERN_ERR
or KERN_NOTICE (with the exception of USER_AVC)?
I'll wait for you to appear on IRC so we can explore this further.
--
dwmw2
7123
days inactive
7126
days old
linux-audit@lists.linux-audit.osci.io
7 comments
2 participants
participants (2)
-
David Woodhouse -
Steve Grubb