From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: seccomp and audit_enabled
Date: Tue, 13 Oct 2015 16:03:34 -0400 [thread overview]
Message-ID: <1489773.CGhBT1IxtY@x2> (raw)
In-Reply-To: <CAHC9VhQgDJAW0RrORwzRT0T1BaV7BbqCQvNmW7F6n2v6_=0K6A@mail.gmail.com>
> No, it's the default audit.rules (-D, -b320). No actual rules loaded.
> Let me add some instrumentation and figure out what's going on. auditd
> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
> during startup (at least on our systems).
Tony,
We have bz 1227379
https://bugzilla.redhat.com/show_bug.cgi?id=1227379
There is a patch attached to disable systemd's propensity to turn on the audit
system. Are people complaining and opening bugs in your distribution? If so,
that might add more ammunition to get that fixed.
On Tuesday, October 13, 2015 03:19:20 PM Paul Moore wrote:
> > I'm of the opinion that nothing should get output (through the audit
> > system) if audit_enabled == 0. What you advocate calls for more than 2
> > possible states for audit_enabled or logging the information through
> > another mechanism than audit.
> I don't really care if it is audit or not (although we will need to
> output something via audit if it is enabled to keep the CC crowd
> happy);
The rules for CC are that any access decision must be auditable and selective.
That means that we need to be able to choose if we want to audit success,
and/or failure, and/or nothing.
The inability to turn off SE Linux AVCs in the audit logs is why the exclude
filter was created. Seccomp could be the same way.
-Steve
> if you feel strongly that it isn't audit, we can just make it
> a printk, that would work well with Kees' goals. To me the important
> point here is that we send a message when seccomp alters the behavior
> of the syscall (action != ALLOW).
next prev parent reply other threads:[~2015-10-13 20:03 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-10 3:50 seccomp and audit_enabled Tony Jones
2015-10-12 15:29 ` Paul Moore
2015-10-12 15:40 ` Paul Moore
2015-10-12 17:53 ` Tony Jones
2015-10-12 20:45 ` Kees Cook
2015-10-13 16:11 ` Paul Moore
2015-10-13 17:18 ` Tony Jones
2015-10-13 19:19 ` Paul Moore
2015-10-13 19:46 ` Tony Jones
2015-10-13 20:03 ` Steve Grubb [this message]
2015-11-06 21:45 ` Tony Jones
2015-11-06 21:36 ` Tony Jones
2015-11-20 17:51 ` Tony Jones
2015-11-20 21:26 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1489773.CGhBT1IxtY@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).