From: Eric Paris <eparis@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
linux-audit@redhat.com, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org, davem@davemloft.net,
jamal@mojatatu.com
Subject: Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
Date: Tue, 22 Apr 2014 23:57:55 -0400 [thread overview]
Message-ID: <1398225475.750.7.camel@localhost> (raw)
In-Reply-To: <26389161.vp9iWSVLPX@x2>
On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote:
> On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote:
> > This is a patch set Eric Paris and I have been working on to add a
> > restricted capability read-only netlink multicast socket to kernel audit to
> > enable userspace clients such as systemd/journald to receive audit logs, in
> > addition to the bidirectional auditd userspace client.
>
> Do have the ability to separate of secadm_r and sysadm_r? By allowing this, we
> will leak to a sysadmin that he is being audited by the security officer. In a
> lot of cases, they are one in the same person. But for others, they are not. I
> have a feeling this will cause problems for MLS systems.
Why? This requires CAP_AUDIT_READ. Just don't give CAP_AUDIT_READ to
places you don't want to have read permission. Exactly the same as you
don't give CAP_AUDIT_CONTROL to sysadm_r. (If we are giving
CAP_AUDIT_CONTROL to sysadm_r and you think that any file protections
on /var/log/audit/audit.log are adequate we are fooling ourselves!)
> Also, shouldn't we have an audit event for every attempt to connect to this
> socket? We really need to know where this information is getting leaked to.
We certainly can. What would you like to see in that event?
-Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Paris <eparis@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-audit@redhat.com,
selinux@tycho.nsa.gov, jamal@mojatatu.com, davem@davemloft.net
Subject: Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
Date: Tue, 22 Apr 2014 23:57:55 -0400 [thread overview]
Message-ID: <1398225475.750.7.camel@localhost> (raw)
In-Reply-To: <26389161.vp9iWSVLPX@x2>
On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote:
> On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote:
> > This is a patch set Eric Paris and I have been working on to add a
> > restricted capability read-only netlink multicast socket to kernel audit to
> > enable userspace clients such as systemd/journald to receive audit logs, in
> > addition to the bidirectional auditd userspace client.
>
> Do have the ability to separate of secadm_r and sysadm_r? By allowing this, we
> will leak to a sysadmin that he is being audited by the security officer. In a
> lot of cases, they are one in the same person. But for others, they are not. I
> have a feeling this will cause problems for MLS systems.
Why? This requires CAP_AUDIT_READ. Just don't give CAP_AUDIT_READ to
places you don't want to have read permission. Exactly the same as you
don't give CAP_AUDIT_CONTROL to sysadm_r. (If we are giving
CAP_AUDIT_CONTROL to sysadm_r and you think that any file protections
on /var/log/audit/audit.log are adequate we are fooling ourselves!)
> Also, shouldn't we have an audit event for every attempt to connect to this
> socket? We really need to know where this information is getting leaked to.
We certainly can. What would you like to see in that event?
-Eric
next prev parent reply other threads:[~2014-04-23 3:57 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-21 16:39 [PATCH] netlink: have netlink per-protocol bind function return an error code Richard Guy Briggs
2014-03-23 4:50 ` David Miller
2014-03-24 14:38 ` Richard Guy Briggs
2014-03-24 18:34 ` Richard Guy Briggs
2014-03-24 18:35 ` [PATCH][v3] " Richard Guy Briggs
2014-03-24 19:37 ` [PATCH][v4] " Richard Guy Briggs
2014-03-24 19:37 ` Richard Guy Briggs
2014-03-24 20:59 ` [PATCH][v5] " Richard Guy Briggs
2014-03-24 20:59 ` Richard Guy Briggs
2014-03-26 19:52 ` David Miller
2014-03-26 20:09 ` v6 superceded it [was: Re: [PATCH][v5] netlink: have netlink per-protocol bind function return an error code.] Richard Guy Briggs
2014-03-25 12:50 ` [PATCH][v6] netlink: have netlink per-protocol bind function return an error code Richard Guy Briggs
2014-03-25 12:50 ` Richard Guy Briggs
2014-03-26 20:46 ` David Miller
2014-03-26 23:13 ` Patrick McHardy
2014-03-25 13:11 ` unbind [was: Re: [PATCH] netlink: have netlink per-protocol bind function return] " Richard Guy Briggs
2014-04-01 14:14 ` [PATCH 0/3] netlink: per-protocol bind fixup/enhancement set Richard Guy Briggs
2014-04-01 14:14 ` Richard Guy Briggs
2014-04-01 14:14 ` [PATCH 1/3] netlink: simplify nfnetlink_bind Richard Guy Briggs
2014-04-01 14:14 ` Richard Guy Briggs
2014-04-01 14:14 ` [PATCH 2/3][v7] netlink: have netlink per-protocol bind function return an error code Richard Guy Briggs
2014-04-01 14:14 ` [PATCH 3/3] netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP Richard Guy Briggs
2014-04-01 14:14 ` Richard Guy Briggs
2014-04-01 21:33 ` [PATCH 0/3] netlink: per-protocol bind fixup/enhancement set David Miller
2014-04-01 22:12 ` Richard Guy Briggs
2014-04-01 22:21 ` David Miller
2014-04-18 17:34 ` [PATCH 0/6] audit: implement multicast socket for journald Richard Guy Briggs
2014-04-18 17:34 ` Richard Guy Briggs
2014-04-18 17:34 ` [PATCH 1/6] netlink: simplify nfnetlink_bind Richard Guy Briggs
2014-04-18 17:34 ` Richard Guy Briggs
2014-04-18 17:34 ` [PATCH 2/6] netlink: have netlink per-protocol bind function return an error code Richard Guy Briggs
2014-04-18 17:34 ` Richard Guy Briggs
2014-04-22 20:19 ` David Miller
2014-04-22 20:19 ` David Miller
2014-04-23 1:30 ` Richard Guy Briggs
2014-04-23 1:30 ` Richard Guy Briggs
2014-04-23 1:30 ` Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 0/6][v2] audit: implement multicast socket for journald Richard Guy Briggs
2014-04-23 1:31 ` Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 1/6][v2] netlink: simplify nfnetlink_bind Richard Guy Briggs
2014-04-23 1:31 ` Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 2/6][v2] netlink: have netlink per-protocol bind function return an error code Richard Guy Briggs
2014-04-23 1:31 ` Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 3/6][v2] netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP Richard Guy Briggs
2014-04-23 1:31 ` Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 4/6][v2] audit: add netlink audit protocol bind to check capabilities on multicast join Richard Guy Briggs
2014-04-23 1:31 ` Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 5/6][v2] audit: add netlink multicast group for log read Richard Guy Briggs
2014-04-23 1:31 ` Richard Guy Briggs
2014-04-23 1:31 ` [PATCH 6/6][v2] audit: send multicast messages only if there are listeners Richard Guy Briggs
2014-04-23 1:31 ` Richard Guy Briggs
2014-04-23 1:43 ` [PATCH 0/6][v2] audit: implement multicast socket for journald David Miller
2014-04-23 1:43 ` David Miller
2014-04-23 1:49 ` Richard Guy Briggs
2014-04-23 1:49 ` Richard Guy Briggs
2014-04-23 1:49 ` Richard Guy Briggs
2014-04-23 3:55 ` David Miller
2014-04-23 3:55 ` David Miller
2014-04-23 2:25 ` Steve Grubb
2014-04-23 2:25 ` Steve Grubb
2014-04-23 2:25 ` Steve Grubb
2014-04-23 3:57 ` Eric Paris [this message]
2014-04-23 3:57 ` Eric Paris
2014-04-23 13:40 ` Daniel J Walsh
2014-04-23 14:42 ` Eric Paris
2014-04-23 14:42 ` Eric Paris
2014-04-23 14:42 ` Eric Paris
2014-04-23 15:36 ` Daniel J Walsh
2014-04-23 15:36 ` Daniel J Walsh
2014-04-23 15:36 ` Daniel J Walsh
2014-04-23 15:37 ` Eric Paris
2014-04-23 15:37 ` Eric Paris
2014-04-23 15:52 ` Daniel J Walsh
2014-04-23 15:52 ` Daniel J Walsh
2014-04-24 13:22 ` Eric Paris
2014-04-24 13:22 ` Eric Paris
2014-04-24 14:59 ` Daniel J Walsh
2014-04-24 15:03 ` Eric Paris
2014-04-24 16:03 ` Daniel J Walsh
2014-04-28 22:08 ` Steve Grubb
2014-10-07 4:09 ` Richard Guy Briggs
2014-04-18 17:34 ` [PATCH 3/6] netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP Richard Guy Briggs
2014-04-18 17:34 ` Richard Guy Briggs
2014-04-18 17:34 ` [PATCH 4/6] audit: add netlink audit protocol bind to check capabilities on multicast join Richard Guy Briggs
2014-04-18 17:34 ` Richard Guy Briggs
2014-04-18 17:34 ` [PATCH 5/6] audit: add netlink multicast group for log read Richard Guy Briggs
2014-04-18 17:34 ` Richard Guy Briggs
2014-04-18 17:34 ` [PATCH 6/6] audit: send multicast messages only if there are listeners Richard Guy Briggs
2014-04-18 17:34 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1398225475.750.7.camel@localhost \
--to=eparis@redhat.com \
--cc=davem@davemloft.net \
--cc=jamal@mojatatu.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=selinux@tycho.nsa.gov \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.