[PATCH 00/07][RFC] RACF audit plugin

[PATCH 00/07][RFC] RACF audit plugin

[Klaus Heinrich Kiwi]

List,

the IBM z/OS v1R8 brings remote authorization and auditing capabilities
to its 'Resource Access Control Facility' (RACF), through the
implementation of two LDAP extended operations in the IBM Tivoli
Directory Server (ITDS) - ITDS is the latest version of the z/OS LDAP
server.
The patches in the following messages implements a remote auditing
plugin for RACF, targeting to forward events from the Linux audit
subsystem for consolidation in a z/OS server.
Please review.

How it works:
=============
Using the auparse_feed() interface, the plugin reads from stdin, feeding
whatever gets in to the auparse_feed(). When a complete event is
gathered, the 'push_event()' callback is called, which encodes the event
into a BER buffer and pushes it to a queue (queue size can be
configured). A second thread dequeues it and issues the LDAP extended
operation, waiting for the response in a synchronous way. Once we got a
response, we decode it and verify if the event submission was successful
(we could skip this step right now since we're doing the submission in a
'best-effort' fashion, but its desirable to check whether the event got
in or not right now, giving a better diagnosis of the reason).
It is also desirable to keep the event for future submission in case of
a network outage for example, although this deserves better thinking
related to keeping a parallel audit log file.

TODO list:
==========
- SELinux policy (currently, the plugin runs under the audit daemon
domain, which denies some network operations, for example)
- Man page
- code cleanups where possible
- store-and-forward in case of network outages (design suggestions are
welcome)
- Fix queue issues in SIGHUP situations
- Better integrate the plug-in into the audit.spec file


Comments are very welcome,

Klaus
--

Re: [PATCH 00/07][RFC] RACF audit plugin

[Steve Grubb]

On Friday 28 September 2007 09:28:07 Klaus Heinrich Kiwi wrote:
> The patches in the following messages implements a remote auditing
> plugin for RACF, targeting to forward events from the Linux audit
> subsystem for consolidation in a z/OS server.

Thanks for this patch Klaus. I'll see about integrating it. What platforms 
should this be enabled for? All or something specific? IOW if this was built 
on i386, would it be used?

Thanks,
-Steve

Re: [PATCH 00/07][RFC] RACF audit plugin

[Klaus Heinrich Kiwi]

On Fri, 28 Sep 2007 14:47:18 -0400, Steve Grubb wrote:

> Thanks for this patch Klaus. I'll see about integrating it. What
> platforms should this be enabled for? All or something specific? IOW if
> this was built on i386, would it be used?
> 

Steve,
 despite the RACF server being z/OS only, pretty much any arch can 
benefit from audit event consolidation, so I'd suggest enabling it to all 
archs. In my development env, I've successfully tested it in x86_64 and 
s390x.

Thanks,

 Klaus K.

Re: [PATCH 00/07][RFC] RACF audit plugin

[Steve Grubb]

On Friday 28 September 2007 15:42:50 Klaus Heinrich Kiwi wrote:
> On Fri, 28 Sep 2007 14:47:18 -0400, Steve Grubb wrote:
> > Thanks for this patch Klaus. I'll see about integrating it. What
> > platforms should this be enabled for? All or something specific? IOW if
> > this was built on i386, would it be used?
>
>  despite the RACF server being z/OS only, pretty much any arch can
> benefit from audit event consolidation, so I'd suggest enabling it to all
> archs.

So would this be used in a data center to send events from various machines to 
a z/OS server? Or how would other people use and benefit from this plugin?

Also, the TODO list probably needs a short man page for the plugin and its 
configuration.

Thanks,
-Steve

Re: [PATCH 00/07][RFC] RACF audit plugin

[Klaus Heinrich Kiwi]

On Fri, 28 Sep 2007 16:01:55 -0400, Steve Grubb wrote:

> So would this be used in a data center to send events from various
> machines to a z/OS server? Or how would other people use and benefit
> from this plugin?

Yes it will forward the Linux auditing events for consolidation in a RACF 
server. The 'client' Linux machines can be of any arch, and we can feed a 
single RACF server with events from several different Linux boxes.

> Also, the TODO list probably needs a short man page for the plugin and
> its configuration.

I thought it was already there.. ;)

Thanks,

 Klaus K.

Re: [PATCH 00/07][RFC] RACF audit plugin

[Klaus Heinrich Kiwi]

On Fri, 28 Sep 2007 10:28:07 -0300, Klaus Heinrich Kiwi wrote:

> TODO list:
> ==========
> - SELinux policy (currently, the plugin runs under the audit daemon
> domain, which denies some network operations, for example)

Steve,

  you mentioned in an IRC chat that dwalsh has made a nice GUI tool for 
building new policy - can you point it out??

Dan mentioned we would need a policy module that gets loaded by a post-
install script upon the plugin installation. The policy module would 
define 'racf_t' and 'racf_exec_t' types, and the 'racf_exec_t'-labeled 
plugin would then transition to it's own 'racf_t' domain upon execution. 
Transition would be allowed by the 'racf_domtrans(auditd_t)' interface.

As for 'racf_t' permissions, I need LDAP and DNS access. Reading the AVC 
messages I saw I may need:
tcp_socket {read write shutdown name_connect connect setop create}
udp_socket {read write getattr connect create}
netlink_route_socket { nlmsg_read, read }

Anyone knows if this set of permissions are implemented by a more-generic 
policy interface? Dan?

Thanks!

 Klaus K

Re: [PATCH 00/07][RFC] RACF audit plugin

[Steve Grubb]

On Friday 28 September 2007 17:09:20 Klaus Heinrich Kiwi wrote:
> On Fri, 28 Sep 2007 10:28:07 -0300, Klaus Heinrich Kiwi wrote:
> > TODO list:
> > ==========
> > - SELinux policy (currently, the plugin runs under the audit daemon
> > domain, which denies some network operations, for example)
>
> Steve,
>
>   you mentioned in an IRC chat that dwalsh has made a nice GUI tool for
> building new policy - can you point it out??

You need to have policycoreutils-gui package installed. In F7, bring up the SE 
Linux Administration tool in System | Administration. Select the Policy 
Module item in the left window pane, then click on New button in tool bar. 
This starts the druid. On rawhide/F8, I think its broken out as its own 
program in Applications | System Tools menu item.

Dan wrote a nice article about using this policy GUI tool here:

http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/ 

Have fun....

-Steve