Re: audisp plugin policy question(s)

[LC Bruzenak <lenny@magitekltd.com>]

On Wed, 2008-10-22 at 12:53 -0400, Steve Grubb wrote:
> On Wednesday 22 October 2008 12:46:24 LC Bruzenak wrote:
> 
> 
Steve,

Thanks for the info!

> > Right now my prelude-manager runs ranged SystemLow-SystemHigh.
> > Should this be only SystemHigh?
> 
> I would put the prelude manager and correlator at the same level as the audit 
> daemon since they get parts of the audit logs in events. So, if auditd is 
> ranged, prelude should be.

The auditd runs syshi, so that means the prelude-manager should be
changed. 
I'll run the correlator on a non-mls policy system where I aggregate all
audit data, so that one doesn't affect me (I think).

system_u:system_r:auditd_t:SystemHigh 5 S root 2660    1  0  76  -4 - 28177 epoll_ Oct20 ?        00:00:02 auditd

> 
> > There are some spool files not set accordingly which cause AVCs.
> > I guess these need file contexts?
> 
> Yep. Those spools are likely storage for transmissions while prelude-manager 
> is down.
> 
I think you are right.

I set those manually (with chcon) and the access AVCs were gone, but
they need to be made permanent in policy.

These subdirs/files are all under /var/spool/prelude
and /var/spool/prelude-manager. 

> 
> > Then there is a prelude-manager<->prelude-lml question, but I won't get
> > into that in case I hear "take it up with the prelude guys" from the
> > above.
> 
> I would take it up with them iff you have a reproducable problem when not in 
> MLS. If its only shows up when on MLS, you likely have a policy problem.

Then it's policy (or configuration). On my non-mls machine it is fine.

Here's the issue: 

Setup 1: Have a prelude_lml listening on each level for router syslogs.
----------------     
|  MLS server  |
| s1.s15:\     |
| c0.c1023     |
|              |
| prelude-mgr  |
|              |
|prelude_lml_1 |<------> (router1) WAN1 level s4:c3.c5
|prelude_lml_2 |<------> (router2) WAN2 level s14:c0.c1022
----------------
Then the lower-level prelude-lmls would need policy to talk to the syshi
prelude-manager. A more paranoid approach would be to also launch
prelude-managers at those levels in addition to the syshi one.

Setup 2: Make the prelude_lml be ranged, listening on both nets:
----------------     
|  MLS server  |
| s1.s15:\     |
| c0.c1023     |
|              |
| prelude-mgr  |
|              |
| prelude_lml  |<------> (router1) WAN1 level s4:c3.c5
|              |<------> (router2) WAN2 level s14:c0.c1022
----------------

In this case the same prelude-lml would listen on both nets. 
>From a security perspective it is possible for it to transfer data
directly from one to the other; however given the data is only router
logs this probably be acceptable IMO. 

In either case there is a risk that the prelude-manager could send
higher-classified data through the prelude-lml that I do not think we
can abate easily with policy, since it probably needs bidirectional data
to operate normally.

Thanks again!
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com