SELinux for auditing
Steve Grubb
sgrubb at redhat.com
Thu Feb 1 14:36:59 UTC 2007
On Tuesday 30 January 2007 19:11, Matthew Booth wrote:
> I have a couple of requirements which on the face of it don't seem
> simple to achieve with auditctl. These are:
>
> * Audit changes to executables
> * Audit changes to configuration files
>
> I'll concentrate on the former as it's more obviously problematic. I
> believe this would require putting a watch explicitly on every
> executable in the system.
Assuming current generation of audit code...
auditctl -a exit,always -F perm=w -F obj_type=sbin_t -k executables
auditctl -a exit,always -F perm=w -F obj_type=bin_t -k executables
auditctl -a exit,always -F perm=w -F obj_type=lib_t -k executables
auditctl -a exit,always -F perm=w -F obj_type=shlib_t -k executables
> If this isn't correct, please correct me and this problem goes away.
Try the above. "ausearch -k executables" would let you find these events.
> This does 2 things. Firstly it enforces that the system won't execute
> files which aren't labelled with an executable type.
This might not be a bad thing to include even if the audit rules above solve
your problem.
> However, I'm worried I might be stepping outside design intentions. Is
> the above a good idea?
I'm hoping the audit system can meet any audit requirements. If not we need to
work some more at it.
> Is using SELinux for writing auditing rules a good idea in general?
If there are shortcomings in the audit system that you can solve another way,
I guess you have no choice. But we'd like to know that people cannot use the
audit system for its intended purpose.
-Steve
More information about the Linux-audit
mailing list