From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: reactive audit question
Date: Fri, 19 Nov 2010 11:20:16 -0500 [thread overview]
Message-ID: <201011191120.16426.sgrubb@redhat.com> (raw)
In-Reply-To: <1289582683.2136.36.camel@lcb>
Hi Lenny,
On Friday, November 12, 2010 12:24:43 pm LC Bruzenak wrote:
> In our systems there are occasionally AVC "storms" which happen as a
> result of some unforeseen (and often unknown) issue tickled by various
> reasons.
>
> At fielded sites, we are unable to fix this easily. Since we have to
> keep all the audit data, this leads to many problems on a system running
> over a weekend, for example, with no administrators around.
>
> I probably need to add in either some rate-limiting code or possibly
> kill off the process generating the AVCs. Rate-limiting I'd guess could
> go into the auditd. If I wanted to be more brutal and kill the process,
> I'd think maybe a modification to the setroubleshoot code would be
> workable.
I didn't answer right away because I didn't have a good answer for you. If the storm
is large enough to overrun the kernel queue, the rate limiting needs to be in the
kernel. If auditd is able to handle the load, then perhaps you need an analysis plugin
that performs whatever action you deem best.
> I don't think that a reactive rule is an option -
> 1) We have our rules locked into the kernel on startup and I'm against
> changing that, and
> 2) maybe "normal" avc counts, under a threshold, we'd still want to see,
> from that same process. Besides,
> 3) unless the rules have been changed, we cannot exclude AVCs from a
> particular type/process anyway.
>
> Got any thoughts/ideas/advice?
What is the general source of the problem right now? Was it just that the app was
doing something that policy didn't know it could do? Or was there attacks under way
that someone was trying something bad? Or was its just an admin mistake where
something didn't have the right label? Each of these has a different solution.
I think this is a complex problem and controls might be needed at several spots. I'd
be open to hearing ideas on this too. I've also been wondering if the audit daemon
might want to use control groups as a means of keeping itself scheduled for very busy
systems. But i'd like to hear other people's thoughts.
-Steve
next prev parent reply other threads:[~2010-11-19 16:20 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-12 17:24 reactive audit question LC Bruzenak
2010-11-19 16:20 ` Steve Grubb [this message]
2010-11-19 18:05 ` LC Bruzenak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201011191120.16426.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox