[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auditd design decision

--- "Timothy R. Chavez" <chavezt gmail com> wrote:

> Hello,
> But last night in a dream,
> a giant donut told
> me that I should just create a file, watch.list,
> which auditd will
> read when its started and insert any/all new watches
> into the
> filesystem.

Donuts are notoriusly one-dimensional in their
approach to problems like this. The notion is
simple and attractive, but ...

If /etc/passwd is (hard) linked as /tmp/mojo
accesses to the file may be missed. Your scheme
is monitoring the file system name space, not the
file system objects. This is is a close
approximation of what you need, but not sufficient.

> This way, when we mount over /etc, and
> we're watching
> /etc/passwd, then when we restart auditd, /etc it
> will insert a watch
> for /etc/passwd on the new device.

Which is correct from a namespace view but wrong
from a object view.

> We do it this
> way so we minimize
> our impact on kernel code (not sure we want to go
> screwing around with
> mount())

The impact should be in the real right place,
and no sneaking about.

> This might be a little cumbersome to do
> when we wish to
> remove watch points, because in theory, we'd want to
> detect the
> absence of /etc/passwd on a restart to know that we
> must remove its
> watch point from the file system.  Does this sound
> reasonable or do we
> need a greater degree of flexibility with the
> ability to insert/remove
> watch points without restarting auditd like we do
> with rules?

To meet CAPP and LSPP requirements you need to
address both file system name space and file
system object audit issues.

    # mv /etc/passwd /tmp/foo
    # touch /etc/passwd
    # analyse /tmp/foo

The object that was named /etc/passwd has been
"analyse"d, and if you care about the object
or the data it contained, you should be able to
find that in the audit trail. It is also
interesting that the current object located in
the name space at /etc/passwd was created by
touch. Name space alone does not tell the whole

Now, was it a jelly donut, or a Krispy Kreme?

Casey Schaufler
casey schaufler-ca com

Do you Yahoo!? 
The all-new My Yahoo! - What will yours do?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]