New Audit types
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Wed Nov 2 19:42:26 UTC 2005
On Wed, 02 Nov 2005 12:10:42 EST, Steve Grubb said:
> On Wednesday 02 November 2005 11:43, Matt Anderson wrote:
> >Here are the four types that were required for Cups
> >
> > AUDIT_LABELED_EXPORT
> > AUDIT_UNLABELED_EXPORT
>
> Just a generic question -- do we need to patch cat, cp, rsync, scp, star, ...
> to have these, too?
>
> What if they do:
> file=`cat secret`
> echo $file > /mnt/unlabeled-device/file
>
> Would it be reasonable to expect the shell script trigger this event? If so,
> would we need to patch all these apps or should this be done via kernel
> mechanism? If catching this is reasonable...what about anything else like
> perl, python, expect, etc.
Presumably, that should be failed by SELinux or something as a violation
of the appropriate MLS constraint - a process running at some level allowed
to run 'cat secret' shouldn't be allowed to write to an unlabeled device.
CUPS needs special handling because it acts as a proxy for the user, and also
has to potentially deal with users in different security boxes, so it has to
re-create much of the checking and labelling done by the operating system
when it's the user acting directly.
> I think we also need these:
>
> AUDIT_LABELED_IMPORT
> AUDIT_UNLABELED_IMPORT
We'll probably eventually need these, but not within the context of CUPS, unless
there's a CUPS facility that can do such importing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20051102/28cc5bee/attachment.sig>
More information about the Linux-audit
mailing list