From: Richard Guy Briggs <rgb@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH 4/5] audit: add netlink multicast group for log read
Date: Wed, 12 Mar 2014 11:25:34 -0400 [thread overview]
Message-ID: <20140312152534.GD15329@madcap2.tricolour.ca> (raw)
In-Reply-To: <2795526.vxfGvhKi1e@x2>
On 14/03/12, Steve Grubb wrote:
> On Wednesday, March 12, 2014 09:18:14 AM Eric Paris wrote:
> > On Wed, 2014-03-12 at 08:55 -0400, Steve Grubb wrote:
> > > On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs wrote:
> > > > Add a netlink multicast socket with one group to kaudit for
> > > > "best-effort"
> > > > delivery to read-only userspace clients such as systemd, in addition to
> > > > the
> > > > existing bidirectional unicast auditd userspace client.
> > >
> > > One question...we do have to have the ability to separate of secadm_r and
> > > sysadm_r. By allowing this we will leak to a sysadmin that he is being
> > > audited by the security officer. In a lot of cases, they are one in the
> > > same person. But for others, they are not. I have a feeling this will
> > > cause problems for MLS systems.
At first I had no idea what you were talking about but Eric's reply
helps to understand the context.
> > A good question. But easily solved in policy. Don't give
> > CAP_AUDIT_READ to sysadm_t if you don't want sysadm_t to be able to read
> > from the multicast socket.
This seems like an easy one.
> That also means that we probably want an audit event for any successful and
> unsuccessful attempts to connect for _reading_ audit events.
That could easily be added to the new custom netlink bind function.
> -Steve
>
> > As to what others who read from the journal I guess we can just make
> > sure it is a config option whether to collect or not. Most everyone
> > would want to collect, but some configs might obviously not.
This would be easy to add as a "feature", I'm guessing...
> > I'll roll around in the back of my head the ability for auditctl to
> > disable the multicasting, but CAP_AUDIT_READ takes care of that a whole
> > lot more nicely...
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
next prev parent reply other threads:[~2014-03-12 15:25 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-19 18:08 [PATCH 0/5] audit: add restricted capability read-only netlink multicast socket Richard Guy Briggs
2014-02-19 18:08 ` [PATCH 1/5] audit: move kaudit thread start from auditd registration to kaudit init Richard Guy Briggs
2014-02-19 18:08 ` [PATCH 2/5] netlink: have netlink per-protocol bind function return an error code Richard Guy Briggs
2014-02-19 18:08 ` [PATCH 3/5] audit: add netlink audit protocol bind to check capabilities on multicast join Richard Guy Briggs
2014-02-19 19:15 ` Eric Paris
2014-02-19 19:41 ` Richard Guy Briggs
2014-02-19 18:08 ` [PATCH 4/5] audit: add netlink multicast group for log read Richard Guy Briggs
2014-03-12 12:55 ` Steve Grubb
2014-03-12 13:18 ` Eric Paris
2014-03-12 13:35 ` Steve Grubb
2014-03-12 15:25 ` Richard Guy Briggs [this message]
2014-02-19 18:08 ` [PATCH 5/5] audit: send multicast messages only if there are listeners Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140312152534.GD15329@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).