From: Eric Paris <eparis@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Kernel patches needed
Date: Sun, 12 May 2013 21:18:08 -0400 [thread overview]
Message-ID: <1368407888.929.15.camel@localhost> (raw)
In-Reply-To: <6029710.WhGyKOtD7f@x2>
On Thu, 2013-05-09 at 09:26 -0400, Steve Grubb wrote:
> Hi,
>
> I was just doing some validation work to make sure the newly converted
> ausearch is producing the exact same output as it used to...and found a couple
> items that needs patching.
>
> 1) AUDIT_TTY events are not recording a subject field.
This is just dumb. Seems to me that we need a new record type. Maybe
something like AUDIT_TASK_INFO? It should dump out the task info like
the pid, uid, gid, auid, ses, comm, subj etc. We really really really
should stop randomly spattering these pieces on info through other
record types. Make those record types small and easy to parse. Make
this record type small and consistent for everything. Why should we
ahve to parse all of this crap out different for a SYSCALL, vs USER, vs
TTY, vs MAGIC_BEANS? Just make all of the task info an aux record we
dump by default.
Just please, can we stop with the random ad hoc adding of fields to
random records?
Pretty pretty please?
No no, really.
Please?
With a cherry on top?
> 2) AVC records can sometimes have dev="md1". The dev field is documented as
> being the numeric device number. Cases like this should be changed to
> "devname" which can be encoded.
Hmmm. Interesting. AVC's have been outputting dev= as an untrusted
string since the beginning. Ok, maybe not the beginning of time, but
since SELinux was introduced on Thu Jul 31 19:54:11 2003. The audit
system wasn't added until Sun Apr 11 23:29:12 2004. So if anything, the
AVC behavior is right and the audit system behavior is wrong. The
'right' thing would be the fix the code that came later and screwed it
up. Thus we should change the audit system so that instead of dev=%02x:
%02x we output major=%02x minor=%02x.
Realistically, that would probably break some audit tools. So I'm not
actually suggesting that. I'm guessing that no tools care if we change
it in the LSM code but this is OLD behavior. I don't like the tone of
assumption that the documentation is correct, when clearly it is audit
which has been wrong since it was first introduced.
I'd suggest opening a BZ so it doesn't get lost.
> 3) We might need a supplemental record for *setxattr. The flags field is the
> fifth argument and not recorded anywhere.
How have we gotten along without this for so long? Do we really care
about the difference between XATTR_CREATE and XATTR_REPLACE? Those are
the only 2 flags...
If so put some justification in a RH bz...
prev parent reply other threads:[~2013-05-13 1:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-09 13:26 Kernel patches needed Steve Grubb
2013-05-13 1:18 ` Eric Paris [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1368407888.929.15.camel@localhost \
--to=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox