From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: SELinux for auditing
Date: Wed, 31 Jan 2007 00:11:30 +0000
Message-ID: <1170202290.4168.14.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0714095318=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from [10.247.111.180] (sebastian-int.corp.redhat.com [172.16.52.221])
	by pobox.surrey.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	l0V0BLtj012550
	for <linux-audit@redhat.com>; Wed, 31 Jan 2007 00:11:24 GMT
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============0714095318==
Content-Type: multipart/alternative; boundary="=-De36c5nFEoFhaoK8VBVr"


--=-De36c5nFEoFhaoK8VBVr
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

I have a couple of requirements which on the face of it don't seem
simple to achieve with auditctl. These are:

* Audit changes to executables
* Audit changes to configuration files

I'll concentrate on the former as it's more obviously problematic. I
believe this would require putting a watch explicitly on every
executable in the system. If this isn't correct, please correct me and
this problem goes away. Assuming it is, though, I don't believe this is
a practical solution.

It occurs to me that this might be more easily achieved with SELinux. As
a test, I made the following small change to the unconfined domain of
the RHEL 4 targeted policy macros/global_macros.te:

define(`executable_files', `{ exec_type sbin_t bin_t lib_t shlib_t
ld_so_t }')

#allow $1 file_type:dir_file_class_set *;
allow $1 file_type:dir_file_class_set ~execute;
allow $1 executable_files:dir_file_class_set *;

auditallow $1 executable_files:dir_file_class_set { create write rename
setattr append relabelfrom };

This does 2 things. Firstly it enforces that the system won't execute
files which aren't labelled with an executable type. This is really just
to make sure everything is caught by the second rule, which is to audit
changes to executables. To make this thorough, you'd have to go through
everywhere else execute is granted in other domains.

However, I'm worried I might be stepping outside design intentions. Is
the above a good idea? Is using SELinux for writing auditing rules a
good idea in general? uIs there a better way to achieve this and similar
requirements which affect a potentially large class of file?

Thanks,

Matt
-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-De36c5nFEoFhaoK8VBVr
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.12.0">
</HEAD>
<BODY>
I have a couple of requirements which on the face of it don't seem simple to achieve with auditctl. These are:<BR>
<BR>
* Audit changes to executables<BR>
* Audit changes to configuration files<BR>
<BR>
I'll concentrate on the former as it's more obviously problematic. I believe this would require putting a watch explicitly on every executable in the system. If this isn't correct, please correct me and this problem goes away. Assuming it is, though, I don't believe this is a practical solution.<BR>
<BR>
It occurs to me that this might be more easily achieved with SELinux. As a test, I made the following small change to the unconfined domain of the RHEL 4 targeted policy macros/global_macros.te:<BR>
<BR>
define(`executable_files', `{ exec_type sbin_t bin_t lib_t shlib_t ld_so_t }')<BR>
<BR>
#allow $1 file_type:dir_file_class_set *;<BR>
allow $1 file_type:dir_file_class_set ~execute;<BR>
allow $1 executable_files:dir_file_class_set *;<BR>
<BR>
auditallow $1 executable_files:dir_file_class_set { create write rename setattr append relabelfrom };<BR>
<BR>
This does 2 things. Firstly it enforces that the system won't execute files which aren't labelled with an executable type. This is really just to make sure everything is caught by the second rule, which is to audit changes to executables. To make this thorough, you'd have to go through everywhere else execute is granted in other domains.<BR>
<BR>
However, I'm worried I might be stepping outside design intentions. Is the above a good idea? Is using SELinux for writing auditing rules a good idea in general? uIs there a better way to achieve this and similar requirements which affect a potentially large class of file?<BR>
<BR>
Thanks,<BR>
<BR>
Matt<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<PRE>
-- 
Red Hat, Global Professional Services

M:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +44 (0)7977 267231
GPG ID:&nbsp; D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
</PRE>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>

--=-De36c5nFEoFhaoK8VBVr--


--===============0714095318==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0714095318==--