10:37 a.m.
On Thu, 8 Sep 2005, Steve Grubb wrote:
Hello,
I created the audit patch. I'll see if I can address some off these questions.
I'm just add your adres to allow rule to shadow list. You are not
subscribed to list but you can now send any message to list (without
suspending).
Firs: I want say "thank you" for response.
Second: seems most of my remarks sended to Peter was incorrect (my
knowledge about auditing subsystem was very limited).
[..]
> First from edge .. chage.c:
>
> if (!amroot && !lflg) {
> fprintf (stderr, _("%s: Permission denied.\n"), Prog);
> #ifdef WITH_AUDIT
> audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "change age",
> NULL, getuid (), 0);
> #endif
> exit (E_NOPERM);
> }
>
> In this place auditing comment is "change age" like on case changing user
> account age but it is *error* report *not* performing this chage.
> Many other places where was injected audit_logger() are very simillar.
What would be a better description of the operation? We cannot get too
descriptive as the shadow utils patch has about 325 messages added for
auditing. I also need the text to be short as each audit message consumes
disk space. So we are trying to be sensitive to that as well.
My fault. Now I see this is correct because audit_logger() have argument
where is passed operation status. I'm loose this by suggesting meainng
*_CHAUTHTOK and "change age" message without any correctly visable remarks
about notify operation which not pass correctly.
Now I see next possible change to auditing changes in shadow: add some
#defines for use in last (result) argument of audit_logger() (shuting:
probably AUDIT_SUCCES, AUDIT_FAILED will be good). This can make this code
better for faster undestanding what is performed in audit_logger() calling
(without study libmisc/audit_help.c).
>> From libadit.h:
>
> #define AUDIT_USER_AUTH 1100 /* User space authentication */
> #define AUDIT_USER_ACCT 1101 /* User space acct change */
> #define AUDIT_USER_MGMT 1102 /* User space acct management */
> #define AUDIT_CRED_ACQ 1103 /* User space credential acquired
> */ #define AUDIT_CRED_DISP 1104 /* User space credential
> disposed */ #define AUDIT_USER_START 1105 /* User space session
> start */ #define AUDIT_USER_END 1106 /* User space session end
> */ #define AUDIT_USER_AVC 1107 /* User space avc message */
> #define AUDIT_USER_CHAUTHTOK 1108 /* User space acct attr changed */
> #define AUDIT_USER_ERR 1109 /* User space acct state err */
> #define AUDIT_CRED_REFR 1110 /* User space credential refreshed
> */ #define AUDIT_USYS_CONFIG 1111 /* User space system config
> change */
>
> On first look on this list loging all auditing records as
> AUDIT_USER_CHAUTHTOK is incorrect.
Remember this is pamish. We may need a new message type for adding and
deleting a user account or group. That make more sense to me.
Maybe I'm wrong but IMO AUDIT_USER_CHAUTHTOK is not good name.
AUDIT_USER_CHAUTH_TOK probaly will better. Usualy on readin words we first
see begin and end word/phrase (plain physiology). In this case better will
be see AUDIT_*_TOK instead AUDIT_*OK :o)
This is why I was confused on code from chage.c :)
> Probaly using "usedadd -D <other_options>" will
be good report as
> AUDIT_USYS_CONFIG (?).
This is for changes to the system config like hwclock that are mandated by the
CAPP specification.
> Succesfull changing account propertiees as
> AUDIT_USER_ACCT (what about changing group properties ?).
I didn't see any properties other than adding a user to a group. This should
be recorded from the user's perspective as changes to the account.
OK but name of AUDIT_* defines in libaudit.h not suggest that this can be
used also for group(s) operations.
> Probaly start/stop su, login, newgrp session will be good mark
as
> AUDIT_USER_START/AUDIT_USER_END (?).
Yes. I don't think newgrp has session start/end, but it probably should.
Look at newgrp.c on code PAM dependent (or "grep fork newgrp.c").
shadow package used in Fedora do not uses PAM abilities (all code is
builded on code configured --without-libpam; IMO this is incorrect
because this limit using this tools to only "files" NSS type databases).
> Questions like above after spending more time will be probably
much more.
Please cc me on these questions as I can help explain what was done. There is
also an audit mail list just in case you are interested.
www.redhat.com/mailman/listinfo/linux-audit. I'm cc'ing this to that mail
list since it looks like I may have a few action items.
Hope this helps...
Probaly I'll try consult with you (directly or on list) any future changes
in shadow related to auditing subsysytem (not all shadow commands have
now auditing support).
kloczek
--
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek(a)rudy.mif.pg.gda.pl*