From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: excluding auditd events
Date: Thu, 26 May 2011 15:07:57 +0100 [thread overview]
Message-ID: <4DDE5EBD.7060601@googlemail.com> (raw)
In-Reply-To: <201105260950.33723.sgrubb@redhat.com>
> Yes, that is the -b option to auditctl. No matter what you set it to, it can be
> overflowed by the right conditions. This is why the audit daemon does no filtering.
>
Thanks, I realise it doesn't bring 100% certainty against overflowing
(what does?), but it at least helps.
>> You mean the message type?
>>
>
> An event is composed of records. Sometimes just one record, sometimes 5 or 6. but they
> are all linked with a timestamp and serial number.
>
So filtering could be done on message type and SElinux subject,
eventually, by using "user,never"? I take it, this isn't implemented yet
(the message type filter part)?
> I have been toying with the idea of creating a detached signature where the audit
> daemon leaves a public key for use in verifying the integrity of the log. But that
> still does not prevent someone from mimicing the algorithm themselves after modifying
> the files.
That kind of tampering won't be possible if the token is taken from a
trusted source (smartcard in my case), is then kept in-memory and is
never visible to anyone/anything except the audit daemon. That token is
then used to create all the hashes needed to do the verification. When
sysadmin (or other authorised personnel) need to do record verification
they simply insert the smartcard, run a separate tool
(ausearch/aureport-type tool), which retrieves the token again from the
smartcard and then verifies whatever needs to be verified in the logs
and produces the report needed.
At least this is how I have it currently implemented in my database.
> For ultimate protection, we suggest remote logging to a box that has
> restricted access.
>
That is certainly a possibility (but then again the box needs to be
"secure"), though since I am not very familiar with the audit daemon
I'll just ask - is the connection between the 2 daemons (on the secure
box as well as the daemon sending the logs) encrypted so to prevent
tampering in-route (man in the middle etc attacks)?
next prev parent reply other threads:[~2011-05-26 14:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-26 0:22 excluding auditd events Mr Dash Four
[not found] ` <201105260802.21606.sgrubb@redhat.com>
2011-05-26 13:16 ` Mr Dash Four
2011-05-26 13:50 ` Steve Grubb
2011-05-26 14:07 ` Mr Dash Four [this message]
2011-05-26 14:16 ` Steve Grubb
2011-05-26 14:23 ` Mr Dash Four
2011-05-26 14:33 ` Steve Grubb
2011-05-26 15:22 ` Mr Dash Four
2011-05-26 15:51 ` LC Bruzenak
2011-05-26 16:10 ` Mr Dash Four
2011-06-01 12:54 ` Mr Dash Four
2011-06-01 14:08 ` LC Bruzenak
2011-06-01 14:47 ` Mr Dash Four
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DDE5EBD.7060601@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox