Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote:
On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote:
> This is a patch set Eric Paris and I have been working on to add a
> restricted capability read-only netlink multicast socket to kernel audit to
> enable userspace clients such as systemd/journald to receive audit logs, in
> addition to the bidirectional auditd userspace client.
Do have the ability to separate of secadm_r and sysadm_r? By allowing this, we
will leak to a sysadmin that he is being audited by the security officer. In a
lot of cases, they are one in the same person. But for others, they are not. I
have a feeling this will cause problems for MLS systems.
Why? This requires CAP_AUDIT_READ. Just don't give CAP_AUDIT_READ to
places you don't want to have read permission. Exactly the same as you
don't give CAP_AUDIT_CONTROL to sysadm_r. (If we are giving
CAP_AUDIT_CONTROL to sysadm_r and you think that any file protections
on /var/log/audit/audit.log are adequate we are fooling ourselves!)
Also, shouldn't we have an audit event for every attempt to
connect to this
socket? We really need to know where this information is getting leaked to.
We certainly can. What would you like to see in that event?
-Eric