From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Beattie Subject: Re: [PATCH] audit config lockdown Date: Sat, 27 Jan 2007 00:13:07 -0800 Message-ID: <20070127081307.GA360@suse.de> References: <200701191439.55315.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0061116839==" Return-path: Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l0R8DG6d028903 for ; Sat, 27 Jan 2007 03:13:16 -0500 Received: from lizaveta.nxnw.org (208-151-246-43.dq1sn.easystreet.com [208.151.246.43]) by mx2.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id l0R8DF9S026317 for ; Sat, 27 Jan 2007 03:13:15 -0500 Received: from kryten.int.wirex.com (kryten-wave.nxnw.org [192.168.2.254]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "kryten.int.wirex.com", Issuer "nxnw.org" (verified OK)) by lizaveta.nxnw.org (Postfix) with ESMTP id 7A40932E26 for ; Sat, 27 Jan 2007 00:13:09 -0800 (PST) In-Reply-To: <200701191439.55315.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com --===============0061116839== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 19, 2007 at 02:39:55PM -0500, Steve Grubb wrote: > The following patch adds a new mode to the audit system. It uses the > audit_enabled config option to introduce the idea of audit enabled, but > configuration is immutable. Any attempt to change the configuration=20 > while in this mode is audited. To change the audit rules, you'd need to > reboot the machine. Seems reasonable to me. Just a couple of comments. > This patch also adds "res=3D" to a number of configuration commands that = did not > have it before. The res=3D idiom is unfamiliar to me, seems like an is_xxx name (is_allowed?) would make it clear what the intent is for. > @@ -64,7 +64,9 @@ > * (Initialization happens after skb_init is called.) */ > static int audit_initialized; > =20 > -/* No syscall auditing will take place unless audit_enabled !=3D 0. */ > +/* 0 - no auditing > + * 1 - auditing enabled > + * 2 - auditing enabled and configuration is locked/unchangeable. */ > int audit_enabled; You probably want a #define or enum for these values, rather than using magic numbers. Thanks. --=20 Steve Beattie SUSE Labs, Novell Inc.=20 http://NxNW.org/~steve/ --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFuwmTquBH+DuYavMRAl++AJ4lfWarG0JGKf/0OWKCa2IDiYxvQwCfTOMn ozVkhJM/aLJTRMVY25kK2jo= =g+wH -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- --===============0061116839== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0061116839==--