On Sun, Jan 5, 2020 at 10:22 AM Steve Grubb <sgrubb(a)redhat.com> wrote:
Common Criteria calls out for any action that modifies the audit
trail to
be recorded. That usually is interpreted to mean insertion or removal of
rules. It is not required to log modification of the inode information
since the watch is still in effect. Additionally, if the rule is a never
rule and the underlying file is one they do not want events for, they
get an event for this bookkeeping update against their wishes.
Since no device/inode info is logged at insertion and no device/inode
information is logged on update, there is nothing meaningful being
communicated to the admin by the CONFIG_CHANGE updated_rules event. One
can assume that the rule was not "modified" because it is still watching
the intended target. If the device or inode cannot be resolved, then
audit_panic is called which is sufficient.
I think the correct resolution is to drop logging config_update events
since the watch is still in effect but just on another unknown inode.
Either this patch is the correct resolution or it isn't, the
description should state that clearly. If you are unsure we can
discuss it, but it sounds like you are certain that this record isn't
needed here, yes?
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
---
kernel/audit_watch.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 4508d5e0cf69..8a8fd732ff6d 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -302,8 +302,6 @@ static void audit_update_watch(struct audit_parent *parent,
if (oentry->rule.exe)
audit_remove_mark(oentry->rule.exe);
- audit_watch_log_rule_change(r, owatch,
"updated_rules");
-
call_rcu(&oentry->rcu, audit_free_rule_rcu);
}
--
paul moore
www.paul-moore.com