From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH 1/1] audit: CONFIG_CHANGE don't log internal bookkeeping as an event
Date: Tue, 07 Jan 2020 17:52:48 -0500 [thread overview]
Message-ID: <5079865.NZeRZbyqen@x2> (raw)
In-Reply-To: <CAHC9VhT28zhWmt2pNDmaLR2p6D39o3LRmVU34Ue3Z_WUNzMdcw@mail.gmail.com>
On Monday, January 6, 2020 8:47:33 PM EST Paul Moore wrote:
> On Sun, Jan 5, 2020 at 10:22 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > Common Criteria calls out for any action that modifies the audit trail to
> > be recorded. That usually is interpreted to mean insertion or removal of
> > rules. It is not required to log modification of the inode information
> > since the watch is still in effect. Additionally, if the rule is a never
> > rule and the underlying file is one they do not want events for, they
> > get an event for this bookkeeping update against their wishes.
> >
> > Since no device/inode info is logged at insertion and no device/inode
> > information is logged on update, there is nothing meaningful being
> > communicated to the admin by the CONFIG_CHANGE updated_rules event. One
> > can assume that the rule was not "modified" because it is still watching
> > the intended target. If the device or inode cannot be resolved, then
> > audit_panic is called which is sufficient.
> >
> > I think the correct resolution is to drop logging config_update events
> > since the watch is still in effect but just on another unknown inode.
>
> Either this patch is the correct resolution or it isn't, the
> description should state that clearly. If you are unsure we can
> discuss it, but it sounds like you are certain that this record isn't
> needed here, yes?
It's not needed based on the rationale above and it's irritating some people
because of that.
-Steve
> > Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> > ---
> >
> > kernel/audit_watch.c | 2 --
> > 1 file changed, 2 deletions(-)
> >
> > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > index 4508d5e0cf69..8a8fd732ff6d 100644
> > --- a/kernel/audit_watch.c
> > +++ b/kernel/audit_watch.c
> > @@ -302,8 +302,6 @@ static void audit_update_watch(struct audit_parent
> > *parent,>
> > if (oentry->rule.exe)
> >
> > audit_remove_mark(oentry->rule.exe);
> >
> > - audit_watch_log_rule_change(r, owatch,
> > "updated_rules"); -
> >
> > call_rcu(&oentry->rcu, audit_free_rule_rcu);
> >
> > }
next prev parent reply other threads:[~2020-01-07 22:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-05 15:22 [PATCH 1/1] audit: CONFIG_CHANGE don't log internal bookkeeping as an event Steve Grubb
2020-01-07 1:47 ` Paul Moore
2020-01-07 22:52 ` Steve Grubb [this message]
2020-01-07 23:29 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2020-01-08 13:37 Steve Grubb
2020-01-09 4:42 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5079865.NZeRZbyqen@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox