From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH 1/1] audit: CONFIG_CHANGE don't log internal bookkeeping
	as an event
Date: Tue, 07 Jan 2020 17:52:48 -0500
Message-ID: <5079865.NZeRZbyqen@x2>
References: <2595185.DiOs4DVqks@x2>
	<CAHC9VhT28zhWmt2pNDmaLR2p6D39o3LRmVU34Ue3Z_WUNzMdcw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAHC9VhT28zhWmt2pNDmaLR2p6D39o3LRmVU34Ue3Z_WUNzMdcw@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Paul Moore <paul@paul-moore.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, January 6, 2020 8:47:33 PM EST Paul Moore wrote:
> On Sun, Jan 5, 2020 at 10:22 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > Common Criteria calls out for any action that modifies the audit trail to
> > be recorded. That usually is interpreted to mean insertion or removal of
> > rules. It is not required to log modification of the inode information
> > since the watch is still in effect. Additionally, if the rule is a never
> > rule and the underlying file is one they do not want events for, they
> > get an event for this bookkeeping update against their wishes.
> > 
> > Since no device/inode info is logged at insertion and no device/inode
> > information is logged on update, there is nothing meaningful being
> > communicated to the admin by the CONFIG_CHANGE updated_rules event. One
> > can assume that the rule was not "modified" because it is still watching
> > the intended target. If the device or inode cannot be resolved, then
> > audit_panic is called which is sufficient.
> > 
> > I think the correct resolution is to drop logging config_update events
> > since the watch is still in effect but just on another unknown inode.
> 
> Either this patch is the correct resolution or it isn't, the
> description should state that clearly.  If you are unsure we can
> discuss it, but it sounds like you are certain that this record isn't
> needed here, yes?

It's not needed based on the rationale above and it's irritating some people 
because of that.

-Steve


> > Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> > ---
> > 
> >  kernel/audit_watch.c | 2 --
> >  1 file changed, 2 deletions(-)
> > 
> > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> > index 4508d5e0cf69..8a8fd732ff6d 100644
> > --- a/kernel/audit_watch.c
> > +++ b/kernel/audit_watch.c
> > @@ -302,8 +302,6 @@ static void audit_update_watch(struct audit_parent
> > *parent,> 
> >                         if (oentry->rule.exe)
> >                         
> >                                 audit_remove_mark(oentry->rule.exe);
> > 
> > -                       audit_watch_log_rule_change(r, owatch,
> > "updated_rules"); -
> > 
> >                         call_rcu(&oentry->rcu, audit_free_rule_rcu);
> >                 
> >                 }