Re: CONFIG_CHANGE record formats

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: CONFIG_CHANGE record formats
Date: Fri, 30 Mar 2018 13:20:47 -0400	[thread overview]
Message-ID: <1906093.e7X4P2EiWg@x2> (raw)
In-Reply-To: <20180322084246.ftjsyk4d5c4xx5u4@madcap2.tricolour.ca>

On Thursday, March 22, 2018 4:42:46 AM EDT Richard Guy Briggs wrote:
> Hi Steve, Paul,
> 
> Looking at some AUDIT_CONFIG_CHANGE record formats, a couple of things
> stand out as potential problems:
> 
> For ADD_RULE and DEL_RULE case when audit_enabled is in the AUDIT_LOCKED
> state, it just outputs "audit_enabled=2 res=0" to indicate locked and
> failure, but doesn't appear to actually give the normal "op=<mumble>" to
> indicate a rule change was attempted and refused due to immutability of
> the rule set.  Will this be a problem for the parser, and should an
> attempted rule change be logged as such?

If its the only rule change event that does not have an op= field, then make 
it have one.


> The other is AUDIT_TTY_SET that has non-standard old-* and new-* fields,
> but since there are two, I think it is unavoidable and can't be fixed.

We actually have to have old and new values for any configuration change that 
is not a rule add/delete. For example, if we enable audit, we need the old 
and new values. This can be expressed either as old- new-  or old- and the 
item without a new prefix.
 
> Another is that other than a change to the enabled status and maybe
> auditd PID changes, every other config change should not be logged if
> audit is disabled.

True.

> Furthermore, if CONFIG_CHANGE records are to be accompanied by syscall
> records, they should obey audit_dummy_context() to avoid unaccompanied
> records.  Does this reasoning make sense?

CONFIG_CHANGE records are simple events and not compound events. They should 
contain all the pertinent information in their one record.

-Steve

     prev parent reply	other threads:[~2018-03-30 17:20 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-22  8:42 CONFIG_CHANGE record formats Richard Guy Briggs
2018-03-23  8:20 ` Richard Guy Briggs
2018-03-23 21:48   ` Paul Moore
2018-03-30  9:26     ` Richard Guy Briggs
2018-03-30 12:35       ` Paul Moore
2018-03-30 15:07         ` Richard Guy Briggs
2018-03-30 17:20 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1906093.e7X4P2EiWg@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.