[PATCH 7/7] audit: audit feature to set loginuid immutable
Eric Paris
eparis at redhat.com
Mon Jul 8 20:51:20 UTC 2013
On Mon, 2013-07-08 at 16:34 -0400, Steve Grubb wrote:
> On Friday, May 24, 2013 12:11:50 PM Eric Paris wrote:
> > This adds a new 'audit_feature' bit which allows userspace to set it
> > such that the loginuid is absolutely immutable, even if you have
> > CAP_AUDIT_CONTROL.
>
> I'm also not sure I like it done this way. What I was thinking about is that
> we should set this at boot so that no matter what happens during boot, the
> policy is for setting loginuid cannot be messed with. We really do not want
> this to be changeable after the system comes up. I'd much rather see this as
> audit=4 on the boot prompt (meaning enabled and immutable). This way its clear
> to everyone that it can only be changed by rebooting the system and the policy
> is in effect for the duration of the session.
Linus has explicitly said the kernel command line options are only
acceptable if they are required for kernel functionality before they can
be set by userspace. If we don't trust the audit system initialization
we already lost and no amount of audit= is going to change that. Since
there is absolutely no benefit to setting this on the kernel command
line, before we can parse and use the audit.rules, I can not make this
yet another archaic command line option. I'm sorry, but this just
cannot happen...
More information about the Linux-audit
mailing list