Re: auditd design decision
--- "Timothy R. Chavez" <chavezt(a)gmail.com> wrote:
Hello,
But last night in a dream,
a giant donut told
me that I should just create a file, watch.list,
which auditd will
read when its started and insert any/all new watches
into the
filesystem.
Donuts are notoriusly one-dimensional in their
approach to problems like this. The notion is
simple and attractive, but ...
If /etc/passwd is (hard) linked as /tmp/mojo
accesses to the file may be missed. Your scheme
is monitoring the file system name space, not the
file system objects. This is is a close
approximation of what you need, but not sufficient.
This way, when we mount over /etc, and
we're watching
/etc/passwd, then when we restart auditd, /etc it
will insert a watch
for /etc/passwd on the new device.
Which is correct from a namespace view but wrong
from a object view.
We do it this
way so we minimize
our impact on kernel code (not sure we want to go
screwing around with
mount())
The impact should be in the real right place,
and no sneaking about.
This might be a little cumbersome to do
when we wish to
remove watch points, because in theory, we'd want to
detect the
absence of /etc/passwd on a restart to know that we
must remove its
watch point from the file system. Does this sound
reasonable or do we
need a greater degree of flexibility with the
ability to insert/remove
watch points without restarting auditd like we do
with rules?
To meet CAPP and LSPP requirements you need to
address both file system name space and file
system object audit issues.
# mv /etc/passwd /tmp/foo
# touch /etc/passwd
# analyse /tmp/foo
The object that was named /etc/passwd has been
"analyse"d, and if you care about the object
or the data it contained, you should be able to
find that in the audit trail. It is also
interesting that the current object located in
the name space at /etc/passwd was created by
touch. Name space alone does not tell the whole
story.
Now, was it a jelly donut, or a Krispy Kreme?
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com