Re: Auditing - Snare, LAuS, SELinux
On Wed, 8 Sep 2004, Stephen Smalley wrote:
SELinux already supports auditing based on security labels. Stephen
Tweedie further suggested introducing a separate security.audit
attribute for files that would allow you to mark a file for auditing
without necessarily using a separate security label on it (or without
even SELinux at all). Using attributes is definitely preferable to
pathname-based approaches, as it allows you to unambigously mark the
real object and avoids the usual pathname manipulation games.
I think there are some drawbacks to this approach, which I've previously
outlined privately:
If someone manages to modify/remove the xattr, then further auditing would
not work for that file. How do you stop this from happening in a DAC
system? With a centralized audit policy, you only need to protect the
path through which the policy is loaded.
How do you manage global audit policy? e.g. the question 'which files
will be audited?' requires a non-atomic scan of the entire filesystem.
Similarly, implementing a policy of 'audit all attempts to write to files
in /bin' implies a non-atomic operation, where, e.g. a new file could be
written to /bin after the xattr tagging started.
I think it's better to have a centralized policy which can be updated
atomically and applied within the kernel, rather than being distributed
with each object to be audited.
- James
--
James Morris
<jmorris(a)redhat.com>