4:53 p.m.
RBACPP places requirements on "selective audit".
FAU_SEL.1
Selective Audit
FAU_SEL.1.1
The TSF shall be able to include or exclude auditable events from the
set of audited events based on the following attributes:
(a) Object identity, user identity, subject identity, host identity, and
event type
(b) Users belonging to a specified Role and Access types (e.g. delete,
insert) on a particular object
---
The following patches add the capabilities required to userspace and the
kernel to allow administrators to filter out audit records based on the
event type.
The audit message type is known as early on as in the call to
audit_log_start(), and thus, placing a check against the filter there
would save the kernel considerable effort allocating buffers and
printing them when the record would ultimately be thrown away (if it
were filtered later). I placed this call just after the verification of
audit_initialized.
When coupled with the previous patches I submitted adding support for
advanced operators (<, >, <=, >=), this gives an administrator
considerable flexibility in saving a running kernel time and resources
if particular message types are not of interest.
Along those lines, there has been some discussion as to whether this
filtering belongs in the kernel or in auditd (userspace). The patches
I'm submitting now add the functionality to the kernel, in fact. It's
my initial feeling that this may well provide enough of a performance
benefit to merit it's presence there. But I expect this might introduce
a discussion here .... \/
--
The interface to exclude messages of IPC type looks like:
auditctl -a exclude,always -F "msgtype=IPC"
or
auditctl -a exclude,always -F "msgtype=1303"
The interface to exclude userspace messages looks like:
auditctl -a exclude,always -F "msgtype>=1100" -F
"msgtype<=1199"
Note that we can certainly teach the audit userspace to recognize many
constant strings to keep administrators from having to come up with
these magic numbers on their own. Thus, you could use something more
like -F "msgtype>=FIRST_USER_MSG" -F "msgtype<=LAST_USER_MSG",
and so
on.
Also note that if you exclude messages of a particular type, its
auxiliary messages are nuked as well.
Patches follow in adjacent emails. Comments welcome.
:-Dustin
3:27 a.m.
On 11/1/05, Dustin Kirkland <dustin.kirkland(a)us.ibm.com> wrote:
The interface to exclude messages of IPC type looks like:
auditctl -a exclude,always -F "msgtype=IPC"
Just now thinking about this... This might be a bit verbose for what
is truly needed. That is, the "always" part, and even the "msgtype"
should probably be implicit. In which case, we might offer a shortcut
interface for excluding audit messages by type to use a new "-E"
parameter:
auditctl -E "type=IPC" -E "type>1400"
Also, I realized that my first patch didn't update the man page or the
usage statements for auditctl. I'll fix that in subsequent posts as
we hash out the interoperation of kernel and userspace.
:-Dustin
8:26 a.m.
On Wed, Nov 02, 2005 at 04:27:34AM -0500, Dustin Kirkland wrote:
On 11/1/05, Dustin Kirkland <dustin.kirkland(a)us.ibm.com>
wrote:
> The interface to exclude messages of IPC type looks like:
> auditctl -a exclude,always -F "msgtype=IPC"
Just now thinking about this... This might be a bit verbose for what
is truly needed. That is, the "always" part, and even the "msgtype"
should probably be implicit.
Yes, definitely. I am in favor of a separate option.
In which case, we might offer a shortcut interface for excluding
audit messages by type to use a new "-E" parameter:
auditctl -E "type=IPC" -E "type>1400"
Using the hard numbers is not a good idea. We want to abstract that
from the user. It would be better to define an alias that comprises
an event group. For example:
auditctl -E user
would exclude any messages in the range AUDIT_FIRST_USER_MSG to
AUDIT_LAST_USER_MSG.
If you want to support excluding a specific message type, then you
could accept the syntax:
auditctl -E AUDIT_AVC
or perhaps more preferably:
auditctl -E avc
where avc translates to message type AUDIT_AVC.
Providing the capability to exclude single messages or larger groups
of messages should suffice. I don't think it benefits the user to
support the >,< operators in this case.
Additionally, I don't think it makes sense to support the exclusion of
any single message type defined in the header file. Some message
types, like AUDIT_PATH, don't stand on their own, but belong to a
greater subset. If we can identify message types that stand on their
own, then we can support excluding those on their own, as well as in
part of an event group.
Amy
8:45 a.m.
On Thursday 03 November 2005 09:26, Amy Griffis wrote:
> auditctl -E "type=IPC" -E "type>1400"
Using the hard numbers is not a good idea.
This is just an illustration. Besides, we have to support numbers as we may be
using old user space tools and new kernel.
We want to abstract that
from the user. It would be better to define an alias that comprises
an event group. For example:
auditctl -E user
would exclude any messages in the range AUDIT_FIRST_USER_MSG to
AUDIT_LAST_USER_MSG.
Aahh, but there is a collision in that audit_user is a valid message type.
This would be confusing, too.
Providing the capability to exclude single messages or larger groups
of messages should suffice. I don't think it benefits the user to
support the >,< operators in this case.
But it calls the comparator function, so we can support these operators for
free.
Additionally, I don't think it makes sense to support the
exclusion of
any single message type defined in the header file.
I think we should let users decide for themselves. We cannot know every
situation or reason for doing things. Why prevent someone that knows what
they want?
-Steve
6988
days inactive
6990
days old
linux-audit@lists.linux-audit.osci.io
3 comments
4 participants
participants (4)
-
Amy Griffis -
Dustin Kirkland -
Dustin Kirkland -
Steve Grubb