Re: SELinux for auditing
On Tuesday 30 January 2007 19:11, Matthew Booth wrote:
I have a couple of requirements which on the face of it don't
seem
simple to achieve with auditctl. These are:
* Audit changes to executables
* Audit changes to configuration files
I'll concentrate on the former as it's more obviously problematic. I
believe this would require putting a watch explicitly on every
executable in the system.
Assuming current generation of audit code...
auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables
auditctl -a exit,always -F perm=w -F obj_type=bin_t -k executables
auditctl -a exit,always -F perm=w -F obj_type=lib_t -k executables
auditctl -a exit,always -F perm=w -F obj_type=shlib_t -k executables
If this isn't correct, please correct me and this problem goes
away.
Try the above. "ausearch -k executables" would let you find these events.
This does 2 things. Firstly it enforces that the system won't
execute
files which aren't labelled with an executable type.
This might not be a bad thing to include even if the audit rules above solve
your problem.
However, I'm worried I might be stepping outside design
intentions. Is
the above a good idea?
I'm hoping the audit system can meet any audit requirements. If not we need to
work some more at it.
Is using SELinux for writing auditing rules a good idea in general?
If there are shortcomings in the audit system that you can solve another way,
I guess you have no choice. But we'd like to know that people cannot use the
audit system for its intended purpose.
-Steve