From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 082CDC54FCB for ; Thu, 23 Apr 2020 17:17:19 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B0E4B20728 for ; Thu, 23 Apr 2020 17:17:18 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ELtqdx1p" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B0E4B20728 Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1587662237; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=+HWwqXUVUAV9dSY9SEAbqG3mawzK+yre8z+rWY2IOrU=; b=ELtqdx1p+S1nLPh2cg+eUloDiFACxWV8ITW+7skYAZZB+lQbFUbhfCln2Pro+SkEbWmwWf a3wopXREvSBQOxjkXvSe3jDhXHscnqw26Td/S5xPdHnxBpZNgoTlzTbISlGE0HyOIZkcS6 M6MpYfpFyoexlcUrT8mJHFx4p276+WE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-424-r3uiFnK9O2K4caR-e5VgCw-1; Thu, 23 Apr 2020 13:17:15 -0400 X-MC-Unique: r3uiFnK9O2K4caR-e5VgCw-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D536745F; Thu, 23 Apr 2020 17:17:11 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AA14619488; Thu, 23 Apr 2020 17:17:11 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2EE8B4CAA7; Thu, 23 Apr 2020 17:17:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 03NHHAxx020910 for ; Thu, 23 Apr 2020 13:17:10 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0742760605; Thu, 23 Apr 2020 17:17:10 +0000 (UTC) Received: from x2.localnet (ovpn-113-160.phx2.redhat.com [10.3.113.160]) by smtp.corp.redhat.com (Postfix) with ESMTP id B38AD6084D; Thu, 23 Apr 2020 17:17:03 +0000 (UTC) From: Steve Grubb To: linux-audit@redhat.com Subject: Re: multicast listeners and audit events to kmsg Date: Thu, 23 Apr 2020 13:17:03 -0400 Message-ID: <132308961.kn0NcHyqfS@x2> Organization: Red Hat In-Reply-To: <20200423164401.GA63285@gardel-login> References: <20200414092740.2fdf0f78@xantho> <20200423164401.GA63285@gardel-login> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: linux-audit@redhat.com Cc: Richard Guy Briggs , Lennart Poettering X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Thursday, April 23, 2020 12:44:01 PM EDT Lennart Poettering wrote: > On Do, 23.04.20 09:19, Casey Schaufler (casey@schaufler-ca.com) wrote: > > > For example, Fedora CoreOS wants to enable selinux, thus is interested > > > in audit messages, but have no intention to install auditd, in the > > > typical, minimal images they generate. See: > > > > > > https://github.com/systemd/systemd/issues/15324 > > > > If you can do a better job of consuming audit data than auditd I for one > > would be impressed. I've written multiple audit systems over the years > > (not this one, but the issues are all familiar and the solutions similar) > > and the kernel -> user interface is much, much harder than it looks. > > The audit support in journald is really not about doing "a better > job", or being "faster". Totally not. It's about making a common case > easy, that's all. > > There are at least two very different usecases for the audit data: > > 1. auditing for the purpose of auditing (i.e. government style) > > 2. people who just want to debug their frickin selinux issues > > auditd is great for #1. for #2 people don't want to bother, journald > is fine, speed or reliability or any such don't matter, the mcast > stuff is definitely good enough, and the benefit of collecting the > AVCs via audit from earliest boot on is a lot more interesting and > important for such uses than to wonder what happens if the queue runs > over... It won't. Audit events are held until the audit daemon arrives. Also, selinux sends AVC's to syslog without any audit daemon intervention. So, you already have access to what you say you need. Try it. Uninstall the audit daemon, set journald to not enable the audit system. Look in dmesg or syslog. You should see any AVC's that were created. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit