[Fwd: Re: audit]

Thu Sep 8 15:37:56 UTC 2005

On Thu, 8 Sep 2005, Steve Grubb wrote:

> Hello,
>
> I created the audit patch. I'll see if I can address some off these questions.

I'm just add your adres to allow rule to shadow list. You are not 
subscribed to list but you can now send any message to list (without 
suspending).

Firs: I want say "thank you" for response.
Second: seems most of my remarks sended to Peter was incorrect (my 
knowledge about auditing subsystem was very limited).

[..]
>> First from edge .. chage.c:
>>
>>          if (!amroot && !lflg) {
>>                  fprintf (stderr, _("%s: Permission denied.\n"), Prog);
>> #ifdef WITH_AUDIT
>>                  audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "change age",
>> NULL, getuid (), 0);
>> #endif
>>                  exit (E_NOPERM);
>>          }
>>
>> In this place auditing comment is "change age" like on case changing user
>> account age but it is *error* report *not* performing this chage.
>> Many other places where was injected audit_logger() are very simillar.
>
> What would be a better description of the operation? We cannot get too
> descriptive as the shadow utils patch has about 325 messages added for
> auditing. I also need the text to be short as each audit message consumes
> disk space. So we are trying to be sensitive to that as well.

My fault. Now I see this is correct because audit_logger() have argument 
where is passed operation status. I'm loose this by suggesting meainng 
*_CHAUTHTOK and "change age" message without any correctly visable remarks 
about notify operation which not pass correctly.

Now I see next possible change to auditing changes in shadow: add some 
#defines for use in last (result) argument of audit_logger() (shuting: 
probably AUDIT_SUCCES, AUDIT_FAILED will be good). This can make this code 
better for faster undestanding what is performed in audit_logger() calling 
(without study libmisc/audit_help.c).

>>> From libadit.h:
>>
>> #define AUDIT_USER_AUTH         1100    /* User space authentication */
>> #define AUDIT_USER_ACCT         1101    /* User space acct change */
>> #define AUDIT_USER_MGMT         1102    /* User space acct management */
>> #define AUDIT_CRED_ACQ          1103    /* User space credential acquired
>> */ #define AUDIT_CRED_DISP         1104    /* User space credential
>> disposed */ #define AUDIT_USER_START        1105    /* User space session
>> start */ #define AUDIT_USER_END          1106    /* User space session end
>> */ #define AUDIT_USER_AVC          1107    /* User space avc message */
>> #define AUDIT_USER_CHAUTHTOK    1108    /* User space acct attr changed */
>> #define AUDIT_USER_ERR          1109    /* User space acct state err */
>> #define AUDIT_CRED_REFR         1110    /* User space credential refreshed
>> */ #define AUDIT_USYS_CONFIG       1111    /* User space system config
>> change */
>>
>> On first look on this list loging all auditing records as
>> AUDIT_USER_CHAUTHTOK is incorrect.
>
> Remember this is pamish. We may need a new message type for adding and
> deleting a user account or group. That make more sense to me.

Maybe I'm wrong but IMO AUDIT_USER_CHAUTHTOK is not good name. 
AUDIT_USER_CHAUTH_TOK probaly will better. Usualy on readin words we first 
see begin and end word/phrase (plain physiology). In this case better will 
be see AUDIT_*_TOK instead AUDIT_*OK :o)
This is why I was confused on code from chage.c :)

>> Probaly using "usedadd -D <other_options>" will be good report as
>> AUDIT_USYS_CONFIG (?).
>
> This is for changes to the system config like hwclock that are mandated by the
> CAPP specification.
>
>> Succesfull changing account propertiees as
>> AUDIT_USER_ACCT (what about changing group properties ?).
>
> I didn't see any properties other than adding a user to a group. This should
> be recorded from the user's perspective as changes to the account.

OK but name of AUDIT_* defines in libaudit.h not suggest that this can be 
used also for group(s) operations.

>> Probaly start/stop su, login, newgrp session will be good mark as
>> AUDIT_USER_START/AUDIT_USER_END (?).
>
> Yes. I don't think newgrp has session start/end, but it probably should.

Look at newgrp.c on code PAM dependent (or "grep fork newgrp.c").

shadow package used in Fedora do not uses PAM abilities (all code is 
builded on code configured --without-libpam; IMO this is incorrect 
because this limit using this tools to only "files" NSS type databases).

>> Questions like above after spending more time will be probably much more.
>
> Please cc me on these questions as I can help explain what was done. There is
> also an audit mail list just in case you are interested.
> www.redhat.com/mailman/listinfo/linux-audit. I'm cc'ing this to that mail
> list since it looks like I may have a few action items.
>
> Hope this helps...

Probaly I'll try consult with you (directly or on list) any future changes 
in shadow related to auditing subsysytem (not all shadow commands have 
now auditing support).

kloczek
-- 
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek at rudy.mif.pg.gda.pl*