Auditing - Snare, LAuS, SELinux
James Morris
jmorris at redhat.com
Wed Sep 8 15:11:37 UTC 2004
On Wed, 8 Sep 2004, Stephen Smalley wrote:
> SELinux already supports auditing based on security labels. Stephen
> Tweedie further suggested introducing a separate security.audit
> attribute for files that would allow you to mark a file for auditing
> without necessarily using a separate security label on it (or without
> even SELinux at all). Using attributes is definitely preferable to
> pathname-based approaches, as it allows you to unambigously mark the
> real object and avoids the usual pathname manipulation games.
I think there are some drawbacks to this approach, which I've previously
outlined privately:
If someone manages to modify/remove the xattr, then further auditing would
not work for that file. How do you stop this from happening in a DAC
system? With a centralized audit policy, you only need to protect the
path through which the policy is loaded.
How do you manage global audit policy? e.g. the question 'which files
will be audited?' requires a non-atomic scan of the entire filesystem.
Similarly, implementing a policy of 'audit all attempts to write to files
in /bin' implies a non-atomic operation, where, e.g. a new file could be
written to /bin after the xattr tagging started.
I think it's better to have a centralized policy which can be updated
atomically and applied within the kernel, rather than being distributed
with each object to be audited.
- James
--
James Morris
<jmorris at redhat.com>
More information about the Linux-audit
mailing list