Re: problem about audit
On Monday 08 March 2010 08:37:50 pm tianyong1979sh wrote:
my work is that when user input "getfacl" or
"setfacl", whatever
success or failed, the process of auditd can log this operation
On Linux, ACLs are stored as extended attributes. You can audit success and
failure by using these rules:
-a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr
-a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr
-a exit,always -F arch=b32 -S getxattr -S lgetxattr -S fgetxattr -S listxattr
-S llistxattr -S flistxattr
-a exit,always -F arch=b64 -S getxattr -S lgetxattr -S fgetxattr -S listxattr
-S llistxattr -S flistxattr
You can also add a -k setfacl and -k getfacl respectively if you wanted. SE
Linux also writes to the xattrs when policy is updated, so you would possible
have that issue, too.
and the operation type is AUDIT_DAC_CHECHK that is defined in
libaudit.h.
That type is meant for applications that do access control. In other words,
suppose an application connects to a local server and the server checks its
access control rules and decides that a connection should be allowed or
rejected. In that case, you would use this type. For any other use, the
generic AUDIT_TRUSTED_APP type is available for anything.
In order to reach the destination ,i modified the codes in the
packets
of acl-2.2.39 and audit-1.7.7 . Firstly ,i added the function
audit_log_acct_message() in the file of getfacl.c and setfacl.c in the
audited place and the function audit_log_acct_message() is in file
audit_logging.c of the audit-1.7.7. Secondly, i make the the project of
acl and the result is ok .And i run the object file of getfacl. When the
user is root,the audit message of getfacl operation can be logged.But when
the user is normal user,the audit message cann't be logged.
Correct. This is so that unprivileged users and operations cannot spam the
audit logs. Allowing anything to write to the audit system would destroy the
integrity guarantees and reduce it to being another syslog.
The VAR "errno" value is "Operation not
permitted".when i execute the
command "chmod u+s getfacl" as root. and then the audit message of getfacl
operation can be logged au normal user. how i can reslove the problem that
when normal user and normal authority execute the command "getfacl" ,the
audit system still can log the operation?????
You would need to make the application setuid root or if your OS supports file
system based capabilities, then you can grant CAP_AUDIT_WRITE to the program.
But, do you really need to alter getfacl and setfacl? We were able to obtain
Common Criteria certification without modifying those apps. Besides, someone
could use another app besides those two to write/read the ACLs. Only watching
the syscalls can provide a complete solution.
-Steve