New audit-perms patch [ Re: Audit perms check on recv ]
Casey Schaufler
casey at schaufler-ca.com
Tue Jan 4 22:16:19 UTC 2005
--- Darrel Goeddel <dgoeddel at trustedcs.com> wrote:
> Serge E. Hallyn wrote:
> > The attached patch addresses Stephen's comments
> about re-using
> > dummy_capget code and properly checking
> capabilities in
> > selinux_netlink_send.
> >
> > To review, it
> >
> > 1. adds two new capabilities, CAP_AUDIT_READ
> and CAP_AUDIT_WRITE
> > ...
>
> It would seem that separate
> CAP_AUDIT_ADMIN/CAP_AUDIT_WRITE capabilities are
> much more important than having a separate
> CAP_ADMIN_READ capability.
The POSIX Draft uses CAP_AUDIT_WRITE and
CAP_AUDIT_CONTROL, with the later required for
reading records. Irix does the same. A
capability for reading audit records seperate
from that required to disable their generation,
the logic went, is hardly necessary.
> The
> CAP_AUDIT_WRITE capability should only allow a
> process to generate a userspace
> audit message.
This is consistant with POSIX.
> I think capability checks should map like this:
>
> AUDIT_GET -> none (possibly CAP_AUDIT_ADMIN)
> AUDIT_SET -> CAP_AUDIT_ADMIN
> AUDIT_LIST -> none (possibly CAP_AUDIT_ADMIN)
> AUDIT_ADD -> CAP_AUDIT_ADMIN
> AUDIT_DEL -> CAP_AUDIT_ADMIN
> AUDIT_USER -> CAP_AUDIT_WRITE
> AUDIT_LOGIN -> CAP_AUDIT_ADMIN
>
> The case of AUDIT_LOGIN has merit for a separate
> CAP_AUDIT_LOGIN capability
> because this carries much more importance than
> AUDIT_USER, but we really should
> not have the ability to mess with the rest of the
> configuration. However, this
> action is as important to the reliability of the
> audit logs as the configuration
> of the audit subsystem. I would prioritize this
> capability above CAP_AUDIT_READ
> as well.
The granularity of capabilities should be carefully
policed. Data General had over 330 in DGUX. If it
is at all possible to get by with two, that would be
best.
=====
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo
More information about the Linux-audit
mailing list