From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: SELinux for auditing
Date: Thu, 1 Feb 2007 09:36:59 -0500 [thread overview]
Message-ID: <200702010936.59578.sgrubb@redhat.com> (raw)
In-Reply-To: <1170202290.4168.14.camel@localhost.localdomain>
On Tuesday 30 January 2007 19:11, Matthew Booth wrote:
> I have a couple of requirements which on the face of it don't seem
> simple to achieve with auditctl. These are:
>
> * Audit changes to executables
> * Audit changes to configuration files
>
> I'll concentrate on the former as it's more obviously problematic. I
> believe this would require putting a watch explicitly on every
> executable in the system.
Assuming current generation of audit code...
auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables
auditctl -a exit,always -F perm=w -F obj_type=bin_t -k executables
auditctl -a exit,always -F perm=w -F obj_type=lib_t -k executables
auditctl -a exit,always -F perm=w -F obj_type=shlib_t -k executables
> If this isn't correct, please correct me and this problem goes away.
Try the above. "ausearch -k executables" would let you find these events.
> This does 2 things. Firstly it enforces that the system won't execute
> files which aren't labelled with an executable type.
This might not be a bad thing to include even if the audit rules above solve
your problem.
> However, I'm worried I might be stepping outside design intentions. Is
> the above a good idea?
I'm hoping the audit system can meet any audit requirements. If not we need to
work some more at it.
> Is using SELinux for writing auditing rules a good idea in general?
If there are shortcomings in the audit system that you can solve another way,
I guess you have no choice. But we'd like to know that people cannot use the
audit system for its intended purpose.
-Steve
next prev parent reply other threads:[~2007-02-01 14:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-31 0:11 SELinux for auditing Matthew Booth
2007-02-01 14:36 ` Steve Grubb [this message]
2007-02-01 14:59 ` Stephen Smalley
2007-02-01 15:40 ` Steve Grubb
2007-02-02 12:37 ` Matthew Booth
2007-02-02 20:12 ` Steve Grubb
2007-02-17 0:14 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200702010936.59578.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox