From: LC Bruzenak <lenny@bruzenak.com>
To: Klaus Weidner <klaus@atsec.com>
Cc: linux-audit@redhat.com
Subject: Re: Logging failed open() calls on /var/log/audit/audit.log
Date: Thu, 29 Jun 2006 13:04:38 -0500 [thread overview]
Message-ID: <1151604278.4879.63.camel@fryspc> (raw)
In-Reply-To: <20060629163454.GA5188@w-m-p.com>
On Thu, 2006-06-29 at 11:34 -0500, Klaus Weidner wrote:
> On Tue, Jun 27, 2006 at 05:15:53PM -0400, Amy Griffis wrote:
> > Robert Giles wrote: [Tue Jun 27 2006, 04:43:10PM EDT]
> > > So if I attempt to access /etc/shadow as a regular user, a "success=no"
> > > audit event is generated to indicate read failure - but if a regular user
> > > attempts to read /var/log/audit/audit.log, nothing happens (no audit event
> > > whatsoever is created).
> >
> > This is because the regular doesn't have permissions to read
> > /var/log/audit. Since the path didn't fully resolve to
> > /var/log/audit/audit.log, the user didn't actually fail to access
> > audit.log, they failed to access /var/log/audit.
> >
> > If you would like to see a record in this case, you must add a watch
> > for /var/log/audit.
>
> CAPP etc. require audit records for unsuccessful attempts to access
> objects, but we've generally used the interpretation that there is no
> access attempt to the object if a containing directory already rejects
> the directory traversal before getting to the object. It's not ideal but
> it's the best fit to the way the path access works.
>
> If you really insist on the audit records, you could weaken the
> restrictions on the /var/log/audit/ directory (for example 711
> permissions) so that it doesn't reject the traversal. The audit files are
> still protected of course.
>
> -Klaus
Klaus,
What you are saying is true, however I would caution against allowing
the traversal because I think my accreditors would argue that it would
open a covert channel potential.
Obviously there would need to be a participating high-side or privileged
signaler, but at least in our case I believe we can live with the
directory rejection rather than the file itself.
In short, I agree with your interpretation.
LCB.
--
LC Bruzenak
lenny@bruzenak.com
next prev parent reply other threads:[~2006-06-29 18:05 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-27 20:43 Logging failed open() calls on /var/log/audit/audit.log Robert Giles
2006-06-27 21:15 ` Amy Griffis
2006-06-27 21:21 ` Steve Grubb
2006-06-27 21:32 ` Timothy R. Chavez
2006-06-27 23:10 ` Amy Griffis
2006-06-27 21:32 ` Amy Griffis
2006-06-27 21:36 ` Linda Knippers
2006-06-27 22:03 ` Alexander Viro
2006-06-27 22:16 ` Linda Knippers
2006-06-29 16:34 ` Klaus Weidner
2006-06-29 18:04 ` LC Bruzenak [this message]
2006-06-29 18:12 ` Robert Giles
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1151604278.4879.63.camel@fryspc \
--to=lenny@bruzenak.com \
--cc=klaus@atsec.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox