[redhat-lspp] SE Linux audit events
Steve Grubb
sgrubb at redhat.com
Tue Nov 8 15:32:06 UTC 2005
Hi,
I think we need to start talking about adding audit events for SE Linux. If I
do this: "echo "0" > /selinux/enforcing" I get this record:
type=SYSCALL msg=audit(11/08/05 09:43:57.306:66) : arch=x86_64 syscall=write
success=yes exit=2 a0=1 a1=2aaaadfab000 a2=2 a3=ffffffff items=0 pid=2385
auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root comm=bash exe=/bin/bash
subj=root:system_r:unconfined_t:s0-s0:c0.c255
type=AVC msg=audit(11/08/05 09:43:57.306:66) : avc: granted { setenforce }
for pid=2385 comm=bash scontext=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=system_u:object_r:security_t:s0 tclass=security
This is inadequate since you don't know if a 1 or 0 went into the kernel. It
is also an AVC message which makes it blend in with the other 60,000 avc
messages I have on my system.
I think we need to add some SE Linux kernel message types for audit into the
kernel and start patching the kernel to report these messages - including the
information of previous value and new value.
The events I think we need are:
MAC_POLICY_LOAD - This event would designate policy loads
MAC_STATUS - This event would indicate a change in enforcing, permissive, or
off.
MAC_CONFIG_CHANGE - This would indicate a change to booleans.
Are there other events that we should care about?
-Steve
More information about the redhat-lspp
mailing list