From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: audisp plugin policy question(s) Date: Wed, 22 Oct 2008 13:15:46 -0500 Message-ID: <1224699346.14755.170.camel@homeserver> References: <1224693984.14755.115.camel@homeserver> <200810221253.54018.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m9MIFxYT023228 for ; Wed, 22 Oct 2008 14:15:59 -0400 Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com [24.242.137.197]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m9MIFllT021379 for ; Wed, 22 Oct 2008 14:15:48 -0400 Received: from [24.242.137.194] (helo=[192.168.30.40]) by mail.magitekltd.com with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1KsiEd-00059i-IQ for linux-audit@redhat.com; Wed, 22 Oct 2008 13:15:07 -0500 In-Reply-To: <200810221253.54018.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com On Wed, 2008-10-22 at 12:53 -0400, Steve Grubb wrote: > On Wednesday 22 October 2008 12:46:24 LC Bruzenak wrote: > > Steve, Thanks for the info! > > Right now my prelude-manager runs ranged SystemLow-SystemHigh. > > Should this be only SystemHigh? > > I would put the prelude manager and correlator at the same level as the audit > daemon since they get parts of the audit logs in events. So, if auditd is > ranged, prelude should be. The auditd runs syshi, so that means the prelude-manager should be changed. I'll run the correlator on a non-mls policy system where I aggregate all audit data, so that one doesn't affect me (I think). system_u:system_r:auditd_t:SystemHigh 5 S root 2660 1 0 76 -4 - 28177 epoll_ Oct20 ? 00:00:02 auditd > > > There are some spool files not set accordingly which cause AVCs. > > I guess these need file contexts? > > Yep. Those spools are likely storage for transmissions while prelude-manager > is down. > I think you are right. I set those manually (with chcon) and the access AVCs were gone, but they need to be made permanent in policy. These subdirs/files are all under /var/spool/prelude and /var/spool/prelude-manager. > > > Then there is a prelude-manager<->prelude-lml question, but I won't get > > into that in case I hear "take it up with the prelude guys" from the > > above. > > I would take it up with them iff you have a reproducable problem when not in > MLS. If its only shows up when on MLS, you likely have a policy problem. Then it's policy (or configuration). On my non-mls machine it is fine. Here's the issue: Setup 1: Have a prelude_lml listening on each level for router syslogs. ---------------- | MLS server | | s1.s15:\ | | c0.c1023 | | | | prelude-mgr | | | |prelude_lml_1 |<------> (router1) WAN1 level s4:c3.c5 |prelude_lml_2 |<------> (router2) WAN2 level s14:c0.c1022 ---------------- Then the lower-level prelude-lmls would need policy to talk to the syshi prelude-manager. A more paranoid approach would be to also launch prelude-managers at those levels in addition to the syshi one. Setup 2: Make the prelude_lml be ranged, listening on both nets: ---------------- | MLS server | | s1.s15:\ | | c0.c1023 | | | | prelude-mgr | | | | prelude_lml |<------> (router1) WAN1 level s4:c3.c5 | |<------> (router2) WAN2 level s14:c0.c1022 ---------------- In this case the same prelude-lml would listen on both nets. >>From a security perspective it is possible for it to transfer data directly from one to the other; however given the data is only router logs this probably be acceptable IMO. In either case there is a risk that the prelude-manager could send higher-classified data through the prelude-lml that I do not think we can abate easily with policy, since it probably needs bidirectional data to operate normally. Thanks again! LCB. -- LC (Lenny) Bruzenak lenny@magitekltd.com