problem about audit

linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed

* problem about audit
@ 2010-03-09  1:37 tianyong1979sh
  2010-03-09 15:53 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: tianyong1979sh @ 2010-03-09  1:37 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 1326 bytes --]

hi,
     Here there is a question ,and please help me .
     my work is that when user input "getfacl" or "setfacl", whatever success or failed, 
the process of auditd can log this operation and the operation type is AUDIT_DAC_CHECHK that is defined in libaudit.h .
     In order to reach the destination ,i modified the codes in the packets of acl-2.2.39 and audit-1.7.7 .
     Firstly ,i added the function audit_log_acct_message()  in the file of getfacl.c and setfacl.c in the audited place and 
the function audit_log_acct_message() is in file audit_logging.c of the audit-1.7.7.
     Secondly, i make the the project of  acl and the result is ok .And i run the object file of getfacl. 
When the user is root,the audit message of getfacl operation can be logged.But when the user is normal user,the audit message cann't 
be logged. The VAR "errno" value is "Operation not permitted".when i execute the command "chmod u+s getfacl" as root. and then 
the audit message of getfacl operation can be logged au normal user.
     how i can reslove the problem that when normal user and normal authority execute the command "getfacl" ,the audit system still can log the operation?????  
   
   thank you very much. i am looking forward to your reply!!!
   
   
                                                           tianyong 

[-- Attachment #1.2: Type: text/html, Size: 1925 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: problem about audit
  2010-03-09  1:37 problem about audit tianyong1979sh
@ 2010-03-09 15:53 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2010-03-09 15:53 UTC (permalink / raw)
  To: linux-audit; +Cc: tianyong1979sh

On Monday 08 March 2010 08:37:50 pm tianyong1979sh wrote:
>      my work is that when user input "getfacl" or "setfacl", whatever
> success or failed, the process of auditd can log this operation 

On Linux, ACLs are stored as extended attributes. You can audit success and 
failure by using these rules:

-a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S 
removexattr -S lremovexattr -S fremovexattr
-a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S 
removexattr -S lremovexattr -S fremovexattr

-a exit,always -F arch=b32 -S getxattr -S lgetxattr -S fgetxattr -S listxattr 
-S llistxattr -S flistxattr
-a exit,always -F arch=b64 -S getxattr -S lgetxattr -S fgetxattr -S listxattr 
-S llistxattr -S flistxattr

You can also add a -k setfacl and -k getfacl respectively if you wanted. SE 
Linux also writes to the xattrs when policy is updated, so you would possible 
have that issue, too.

> and the operation type is AUDIT_DAC_CHECHK that is defined in libaudit.h.

That type is meant for applications that do access control. In other words, 
suppose an application connects to a local server and the server checks its 
access control rules and decides that a connection should be allowed or 
rejected. In that case, you would use this type. For any other use, the 
generic AUDIT_TRUSTED_APP type is available for anything.

> In order to reach the destination ,i modified the codes in the packets
> of acl-2.2.39 and audit-1.7.7 . Firstly ,i added the function
> audit_log_acct_message()  in the file of getfacl.c and setfacl.c in the
> audited place and the function audit_log_acct_message() is in file
> audit_logging.c of the audit-1.7.7. Secondly, i make the the project of 
> acl and the result is ok .And i run the object file of getfacl. When the
> user is root,the audit message of getfacl operation can be logged.But when
> the user is normal user,the audit message cann't be logged.

Correct. This is so that unprivileged users and operations cannot spam the 
audit logs. Allowing anything to write to the audit system would destroy the 
integrity guarantees and reduce it to being another syslog.

> The VAR "errno" value is "Operation not permitted".when i execute the
> command "chmod u+s getfacl" as root. and then the audit message of getfacl
> operation can be logged au normal user. how i can reslove the problem that
> when normal user and normal authority execute the command "getfacl" ,the
> audit system still can log the operation?????

You would need to make the application setuid root or if your OS supports file 
system based capabilities, then you can grant CAP_AUDIT_WRITE to the program.

But, do you really need to alter getfacl and setfacl? We were able to obtain 
Common Criteria certification without modifying those apps. Besides, someone 
could use another app besides those two to write/read the ACLs. Only watching 
the syscalls can provide a complete solution.

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2010-03-09 15:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-03-09  1:37 problem about audit tianyong1979sh
2010-03-09 15:53 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).