From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [RFC 1/1] NetLabel: add audit support for configuration changes Date: Wed, 27 Sep 2006 09:21:48 -0400 Message-ID: <200609270921.48737.paul.moore@hp.com> References: <20060926205722.828559000@hp.com> <20060926205727.820094000@hp.com> <45199FB6.4050009@hp.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k8RDM1JU019125 for ; Wed, 27 Sep 2006 09:22:01 -0400 Received: from mailhub.hp.com (mailhub.hp.com [192.151.27.10]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k8RDM0AT010318 for ; Wed, 27 Sep 2006 09:22:00 -0400 In-Reply-To: <45199FB6.4050009@hp.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linda Knippers Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday 26 September 2006 5:46 pm, Linda Knippers wrote: > paul.moore@hp.com wrote: > > This patch is a first attempt at adding auditing support to NetLabel, > > based on a conversation with Steve Grubb on irc last Friday (9/22). I > > wanted to send this out to the audit mailing list first to get some > > feedback on such things as message types and message formats. Once I > > have collected your feedback I plan on posting the next version of the > > patch to both the netdev and audit mailing lists for inclusion in 2.6.19. > > > > So please, if you have comments/concerns/etc. please share them now so > > this does not get help up later - thank you. > > It might be helpful if you also mailed out some examples of the audit > records generated by this code. Sheesh, isn't that what the code is for :) Anyway, here are all of the audit messages along with some actions that will cause them to be triggered. I tried to model the message format off a combination of SELinux AVC and syscall messages. Bear in mind that the message type appears as unknown because the audit daemon does not yet know about the new message types. Once again, comments are welcome. # netlabelctl unlbl accept on type=UNKNOWN[1406] msg=audit(1159362394.806:420): netlabel: module=unlbl action=accept auid=0 uid=0 euid=0 tty=pts0 pid=6711 comm="netlabelctl" exe="/usr/local/sbin/netlabelctl" (there is also an audit message for "unlbl accept off" which changes "action=accept" to "action=deny") # netlabelctl cipsov4 add std doi:1 tags:1 levels:0=0 categories:0=0 type=UNKNOWN[1408] msg=audit(1159362224.120:416): netlabel: module=cipsov4 action=add auid=0 uid=0 euid=0 tty=pts0 pid=6690 comm="netlabelctl" exe="/usr/local/sbin/netlabelctl" doi=1 type=std # netlabelctl cipsov4 add pass doi:1 tags:1 type=UNKNOWN[1408] msg=audit(1159362287.820:418): netlabel: module=cipsov4 action=add auid=0 uid=0 euid=0 tty=pts0 pid=6698 comm="netlabelctl" exe="/usr/local/sbin/netlabelctl" doi=2 type=pass # netlabelctl cipsov4 del doi:2 type=UNKNOWN[1409] msg=audit(1159362325.202:419): netlabel: module=cipsov4 action=del auid=0 uid=0 euid=0 tty=pts0 pid=6703 comm="netlabelctl" exe="/usr/local/sbin/netlabelctl" doi=2 # netlabelctl map add domain:foo_t protocol:cipsov4,1 type=UNKNOWN[1410] msg=audit(1159362514.990:421): netlabel: module=map action=add auid=0 uid=0 euid=0 tty=pts0 pid=6722 comm="netlabelctl" exe="/usr/local/sbin/netlabelctl" domain=foo_t protocol=cipsov4 doi=1 # netlabelctl map add domain:bar_t protocol:unlbl type=UNKNOWN[1410] msg=audit(1159362574.457:424): netlabel: module=map action=add auid=0 uid=0 euid=0 tty=pts0 pid=6734 comm="netlabelctl" exe="/usr/local/sbin/netlabelctl" domain=bar_t protocol=unlbl # netlabelctl map del domain:bar_t type=UNKNOWN[1411] msg=audit(1159362627.789:425): netlabel: module=map action=del auid=0 uid=0 euid=0 tty=pts0 pid=6740 comm="netlabelctl" exe="/usr/local/sbin/netlabelctl" domain=bar_t (when operating on the default mapping the "domain=" is replaced with "domain=(default)") -- paul moore linux security @ hp