[redhat-lspp] Initial CUPS auditing patch
Matt Anderson
mra at hp.com
Mon Aug 22 17:39:20 UTC 2005
Janak,
Thanks for the feedback.
Janak Desai wrote:
> Is it possible to make the message a little more explanatory? That is,
> what does it mean when the ClassifyOverride flas is set or unset?
How about something like:
CUPS Config: ClassifyOverride is enabled, users can override print banners
CUPS Config: ClassifyOverride is disabled, users cannot override print
banners
>> +#ifdef WITH_AUDIT
>> + audit_log(AuditLog, AUDIT_USER, "CUPS Job #%d: being printed on
>> \"%s\" with label \"%s\"",
>> + id, printer->name, mls_label);
>> +#endif /* WITH_AUDIT */
>
>
> This audit record is created when the job is submitted. Is it possible that
> on the filter side, the CLASSIFICATION environment variable can be
> changed/overridden/deleted in such a way that affects the actual labels
> that come out on pages?
That record is actually getting created in StartJob just before the exec
of the filter. Theoretically the filter could ignore the environment
variable, but I don't believe it could get deleted or changed. Putting
the audit record in the filter wouldn't help that anyway since the same
malicious filter that is ignoring the environment variable could just as
easily audit a fake label.
Unless a clear need arises I'd like to keep this record in cupsd since
the cups architecture is such that filters are supposed to be drop-ins.
If we can avoid patching the filters it will make the patch that much
more maintainable.
-matt
More information about the Linux-audit
mailing list