From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: [PATCH 4/5] audit: add netlink multicast group for log read Date: Wed, 12 Mar 2014 11:25:34 -0400 Message-ID: <20140312152534.GD15329@madcap2.tricolour.ca> References: <2100301.77CFu0czT9@x2> <1394630294.10287.9.camel@localhost> <2795526.vxfGvhKi1e@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <2795526.vxfGvhKi1e@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 14/03/12, Steve Grubb wrote: > On Wednesday, March 12, 2014 09:18:14 AM Eric Paris wrote: > > On Wed, 2014-03-12 at 08:55 -0400, Steve Grubb wrote: > > > On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs wrote: > > > > Add a netlink multicast socket with one group to kaudit for > > > > "best-effort" > > > > delivery to read-only userspace clients such as systemd, in addition to > > > > the > > > > existing bidirectional unicast auditd userspace client. > > > > > > One question...we do have to have the ability to separate of secadm_r and > > > sysadm_r. By allowing this we will leak to a sysadmin that he is being > > > audited by the security officer. In a lot of cases, they are one in the > > > same person. But for others, they are not. I have a feeling this will > > > cause problems for MLS systems. At first I had no idea what you were talking about but Eric's reply helps to understand the context. > > A good question. But easily solved in policy. Don't give > > CAP_AUDIT_READ to sysadm_t if you don't want sysadm_t to be able to read > > from the multicast socket. This seems like an easy one. > That also means that we probably want an audit event for any successful and > unsuccessful attempts to connect for _reading_ audit events. That could easily be added to the new custom netlink bind function. > -Steve > > > As to what others who read from the journal I guess we can just make > > sure it is a config option whether to collect or not. Most everyone > > would want to collect, but some configs might obviously not. This would be easy to add as a "feature", I'm guessing... > > I'll roll around in the back of my head the ability for auditctl to > > disable the multicasting, but CAP_AUDIT_READ takes care of that a whole > > lot more nicely... - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545