Re: [RFC 1/1] NetLabel: add audit support for configuration changes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul Moore <paul.moore@hp.com>
To: Linda Knippers <linda.knippers@hp.com>
Cc: linux-audit@redhat.com
Subject: Re: [RFC 1/1] NetLabel: add audit support for configuration changes
Date: Wed, 27 Sep 2006 09:21:48 -0400	[thread overview]
Message-ID: <200609270921.48737.paul.moore@hp.com> (raw)
In-Reply-To: <45199FB6.4050009@hp.com>

On Tuesday 26 September 2006 5:46 pm, Linda Knippers wrote:
> paul.moore@hp.com wrote:
> > This patch is a first attempt at adding auditing support to NetLabel,
> > based on a conversation with Steve Grubb on irc last Friday (9/22).  I
> > wanted to send this out to the audit mailing list first to get some
> > feedback on such things as message types and message formats.  Once I
> > have collected your feedback I plan on posting the next version of the
> > patch to both the netdev and audit mailing lists for inclusion in 2.6.19.
> >
> > So please, if you have comments/concerns/etc. please share them now so
> > this does not get help up later - thank you.
>
> It might be helpful if you also mailed out some examples of the audit
> records generated by this code.

Sheesh, isn't that what the code is for :)

Anyway, here are all of the audit messages along with some actions that will 
cause them to be triggered.  I tried to model the message format off a 
combination of SELinux AVC and syscall messages.  Bear in mind that the 
message type appears as unknown because the audit daemon does not yet know 
about the new message types.  Once again, comments are welcome.

 # netlabelctl unlbl accept on

type=UNKNOWN[1406] msg=audit(1159362394.806:420): netlabel: module=unlbl 
action=accept auid=0 uid=0 euid=0 tty=pts0 pid=6711 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl"

 (there is also an audit message for "unlbl accept off" which changes
  "action=accept" to "action=deny")

 # netlabelctl cipsov4 add std doi:1 tags:1 levels:0=0 categories:0=0

type=UNKNOWN[1408] msg=audit(1159362224.120:416): netlabel: module=cipsov4 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6690 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" doi=1 type=std

 # netlabelctl cipsov4 add pass doi:1 tags:1

type=UNKNOWN[1408] msg=audit(1159362287.820:418): netlabel: module=cipsov4 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6698 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" doi=2 type=pass

 # netlabelctl cipsov4 del doi:2

type=UNKNOWN[1409] msg=audit(1159362325.202:419): netlabel: module=cipsov4 
action=del auid=0 uid=0 euid=0 tty=pts0 pid=6703 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" doi=2

 # netlabelctl map add domain:foo_t protocol:cipsov4,1

type=UNKNOWN[1410] msg=audit(1159362514.990:421): netlabel: module=map 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6722 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" domain=foo_t protocol=cipsov4 doi=1

 # netlabelctl map add domain:bar_t protocol:unlbl

type=UNKNOWN[1410] msg=audit(1159362574.457:424): netlabel: module=map 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6734 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" domain=bar_t protocol=unlbl

 # netlabelctl map del domain:bar_t

type=UNKNOWN[1411] msg=audit(1159362627.789:425): netlabel: module=map 
action=del auid=0 uid=0 euid=0 tty=pts0 pid=6740 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" domain=bar_t

 (when operating on the default mapping the "domain=<domain string>" is
  replaced with "domain=(default)")

-- 
paul moore
linux security @ hp

next prev parent reply	other threads:[~2006-09-27 13:22 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20060926205722.828559000@hp.com>
2006-09-26 20:57 ` [RFC 1/1] NetLabel: add audit support for configuration changes paul.moore
2006-09-26 21:46   ` Linda Knippers
2006-09-27 13:21     ` Paul Moore [this message]
2006-09-27 23:00       ` Linda Knippers
2006-09-28 14:27         ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200609270921.48737.paul.moore@hp.com \
    --to=paul.moore@hp.com \
    --cc=linda.knippers@hp.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.