problem about audit
Steve Grubb
sgrubb at redhat.com
Tue Mar 9 15:53:00 UTC 2010
On Monday 08 March 2010 08:37:50 pm tianyong1979sh wrote:
> my work is that when user input "getfacl" or "setfacl", whatever
> success or failed, the process of auditd can log this operation
On Linux, ACLs are stored as extended attributes. You can audit success and
failure by using these rules:
-a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr
-a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr
-a exit,always -F arch=b32 -S getxattr -S lgetxattr -S fgetxattr -S listxattr
-S llistxattr -S flistxattr
-a exit,always -F arch=b64 -S getxattr -S lgetxattr -S fgetxattr -S listxattr
-S llistxattr -S flistxattr
You can also add a -k setfacl and -k getfacl respectively if you wanted. SE
Linux also writes to the xattrs when policy is updated, so you would possible
have that issue, too.
> and the operation type is AUDIT_DAC_CHECHK that is defined in libaudit.h.
That type is meant for applications that do access control. In other words,
suppose an application connects to a local server and the server checks its
access control rules and decides that a connection should be allowed or
rejected. In that case, you would use this type. For any other use, the
generic AUDIT_TRUSTED_APP type is available for anything.
> In order to reach the destination ,i modified the codes in the packets
> of acl-2.2.39 and audit-1.7.7 . Firstly ,i added the function
> audit_log_acct_message() in the file of getfacl.c and setfacl.c in the
> audited place and the function audit_log_acct_message() is in file
> audit_logging.c of the audit-1.7.7. Secondly, i make the the project of
> acl and the result is ok .And i run the object file of getfacl. When the
> user is root,the audit message of getfacl operation can be logged.But when
> the user is normal user,the audit message cann't be logged.
Correct. This is so that unprivileged users and operations cannot spam the
audit logs. Allowing anything to write to the audit system would destroy the
integrity guarantees and reduce it to being another syslog.
> The VAR "errno" value is "Operation not permitted".when i execute the
> command "chmod u+s getfacl" as root. and then the audit message of getfacl
> operation can be logged au normal user. how i can reslove the problem that
> when normal user and normal authority execute the command "getfacl" ,the
> audit system still can log the operation?????
You would need to make the application setuid root or if your OS supports file
system based capabilities, then you can grant CAP_AUDIT_WRITE to the program.
But, do you really need to alter getfacl and setfacl? We were able to obtain
Common Criteria certification without modifying those apps. Besides, someone
could use another app besides those two to write/read the ACLs. Only watching
the syscalls can provide a complete solution.
-Steve
More information about the Linux-audit
mailing list