[RFC] linux-2.6.10-auditfs-tc1.patch
Chris Wright
chrisw at osdl.org
Fri Jan 21 18:29:47 UTC 2005
* Timothy R. Chavez (chavezt at gmail.com) wrote:
> Anyway, if we want to make this thing dynamic so that we can add watch
> points to paths that partially exist or do not exist at all and be
> able to remap on new mounts, it's going to take quite a rework and the
> reintroduction of something like Serge's mapnode data structure. Do
> we want to shift directions again? All this oscillating between
> requirements is starting to give me gray hair and I'm only 23 :( JK,
> but seriously, can we converge on something :)?
There's two primary issues.
1) Make sure it satisfies basic CAPP requirements (I expect the dynamic
issue could be handled w/in CAPP by simply documenting for the admin
that mounts after audit is started aren't allowed). Of course, as
mentioned earlier, while we're here, might as well look out for LSPP,
but the audit requirements aren't that much different to my recollection,
just need to spit out labels...
2) Make the patch sane and mergeable. This could mean a bit of
oscialltion until the cleanest approach falls out. And may mean making
things sane compared with CAPP.
Now for updates, I think you'll need to keep watch of the whole tree,
mount issues aside. For example, I believe that right now the following
could fall off of the radar:
# mv /etc /tmp
# mkdir /etc
# cp /tmp/evil_shadow /etc/shadow
I think this would kill /etc dir watchpoints, and /etc/shadow would no
longer be watched, while /tmp/etc/shadow is diligently watched.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list