From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH 1/1] audit: CONFIG_CHANGE don't log internal bookkeeping as an event
Date: Tue, 07 Jan 2020 17:52:48 -0500 [thread overview]
Message-ID: <5079865.NZeRZbyqen@x2> (raw)
In-Reply-To: <CAHC9VhT28zhWmt2pNDmaLR2p6D39o3LRmVU34Ue3Z_WUNzMdcw@mail.gmail.com>
On Monday, January 6, 2020 8:47:33 PM EST Paul Moore wrote:
> On Sun, Jan 5, 2020 at 10:22 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > Common Criteria calls out for any action that modifies the audit trail to
> > be recorded. That usually is interpreted to mean insertion or removal of
> > rules. It is not required to log modification of the inode information
> > since the watch is still in effect. Additionally, if the rule is a never
> > rule and the underlying file is one they do not want events for, they
> > get an event for this bookkeeping update against their wishes.
> >
> > Since no device/inode info is logged at insertion and no device/inode
> > information is logged on update, there is nothing meaningful being
> > communicated to the admin by the CONFIG_CHANGE updated_rules event. One
> > can assume that the rule was not "modified" because it is still watching
> > the intended target. If the device or inode cannot be resolved, then
> > audit_panic is called which is sufficient.
> >
> > I think the correct resolution is to drop logging config_update events
> > since the watch is still in effect but just on another unknown inode.
>
> Either this patch is the correct resolution or it isn't, the
> description should state that clearly. If you are unsure we can
> discuss it, but it sounds like you are certain that this record isn't
> needed here, yes?
It's not needed based on the rationale above and it's irritating some people
because of that.
-Steve
> > Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> > ---
> >
> > kernel/audit_watch.c | 2 --
> > 1 file changed, 2 deletions(-)
> >
> > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > index 4508d5e0cf69..8a8fd732ff6d 100644
> > --- a/kernel/audit_watch.c
> > +++ b/kernel/audit_watch.c
> > @@ -302,8 +302,6 @@ static void audit_update_watch(struct audit_parent
> > *parent,>
> > if (oentry->rule.exe)
> >
> > audit_remove_mark(oentry->rule.exe);
> >
> > - audit_watch_log_rule_change(r, owatch,
> > "updated_rules"); -
> >
> > call_rcu(&oentry->rcu, audit_free_rule_rcu);
> >
> > }
next prev parent reply other threads:[~2020-01-07 22:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-05 15:22 [PATCH 1/1] audit: CONFIG_CHANGE don't log internal bookkeeping as an event Steve Grubb
2020-01-07 1:47 ` Paul Moore
2020-01-07 22:52 ` Steve Grubb [this message]
2020-01-07 23:29 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2020-01-08 13:37 Steve Grubb
2020-01-09 4:42 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5079865.NZeRZbyqen@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.