Re: [RFC 1/1] NetLabel: add audit support for configuration changes
On Tuesday 26 September 2006 5:46 pm, Linda Knippers wrote:
paul.moore(a)hp.com wrote:
> This patch is a first attempt at adding auditing support to NetLabel,
> based on a conversation with Steve Grubb on irc last Friday (9/22). I
> wanted to send this out to the audit mailing list first to get some
> feedback on such things as message types and message formats. Once I
> have collected your feedback I plan on posting the next version of the
> patch to both the netdev and audit mailing lists for inclusion in 2.6.19.
>
> So please, if you have comments/concerns/etc. please share them now so
> this does not get help up later - thank you.
It might be helpful if you also mailed out some examples of the audit
records generated by this code.
Sheesh, isn't that what the code is for :)
Anyway, here are all of the audit messages along with some actions that will
cause them to be triggered. I tried to model the message format off a
combination of SELinux AVC and syscall messages. Bear in mind that the
message type appears as unknown because the audit daemon does not yet know
about the new message types. Once again, comments are welcome.
# netlabelctl unlbl accept on
type=UNKNOWN[1406] msg=audit(1159362394.806:420): netlabel: module=unlbl
action=accept auid=0 uid=0 euid=0 tty=pts0 pid=6711 comm="netlabelctl"
exe="/usr/local/sbin/netlabelctl"
(there is also an audit message for "unlbl accept off" which changes
"action=accept" to "action=deny")
# netlabelctl cipsov4 add std doi:1 tags:1 levels:0=0 categories:0=0
type=UNKNOWN[1408] msg=audit(1159362224.120:416): netlabel: module=cipsov4
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6690 comm="netlabelctl"
exe="/usr/local/sbin/netlabelctl" doi=1 type=std
# netlabelctl cipsov4 add pass doi:1 tags:1
type=UNKNOWN[1408] msg=audit(1159362287.820:418): netlabel: module=cipsov4
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6698 comm="netlabelctl"
exe="/usr/local/sbin/netlabelctl" doi=2 type=pass
# netlabelctl cipsov4 del doi:2
type=UNKNOWN[1409] msg=audit(1159362325.202:419): netlabel: module=cipsov4
action=del auid=0 uid=0 euid=0 tty=pts0 pid=6703 comm="netlabelctl"
exe="/usr/local/sbin/netlabelctl" doi=2
# netlabelctl map add domain:foo_t protocol:cipsov4,1
type=UNKNOWN[1410] msg=audit(1159362514.990:421): netlabel: module=map
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6722 comm="netlabelctl"
exe="/usr/local/sbin/netlabelctl" domain=foo_t protocol=cipsov4 doi=1
# netlabelctl map add domain:bar_t protocol:unlbl
type=UNKNOWN[1410] msg=audit(1159362574.457:424): netlabel: module=map
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6734 comm="netlabelctl"
exe="/usr/local/sbin/netlabelctl" domain=bar_t protocol=unlbl
# netlabelctl map del domain:bar_t
type=UNKNOWN[1411] msg=audit(1159362627.789:425): netlabel: module=map
action=del auid=0 uid=0 euid=0 tty=pts0 pid=6740 comm="netlabelctl"
exe="/usr/local/sbin/netlabelctl" domain=bar_t
(when operating on the default mapping the "domain=<domain string>" is
replaced with "domain=(default)")
--
paul moore
linux security @ hp