[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Fwd: Re: audit]



On Thu, 8 Sep 2005, Steve Grubb wrote:

Hello,

I created the audit patch. I'll see if I can address some off these questions.

I'm just add your adres to allow rule to shadow list. You are not subscribed to list but you can now send any message to list (without suspending).


Firs: I want say "thank you" for response.
Second: seems most of my remarks sended to Peter was incorrect (my knowledge about auditing subsystem was very limited).


[..]
First from edge .. chage.c:

         if (!amroot && !lflg) {
                 fprintf (stderr, _("%s: Permission denied.\n"), Prog);
#ifdef WITH_AUDIT
                 audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "change age",
NULL, getuid (), 0);
#endif
                 exit (E_NOPERM);
         }

In this place auditing comment is "change age" like on case changing user
account age but it is *error* report *not* performing this chage.
Many other places where was injected audit_logger() are very simillar.

What would be a better description of the operation? We cannot get too descriptive as the shadow utils patch has about 325 messages added for auditing. I also need the text to be short as each audit message consumes disk space. So we are trying to be sensitive to that as well.

My fault. Now I see this is correct because audit_logger() have argument where is passed operation status. I'm loose this by suggesting meainng *_CHAUTHTOK and "change age" message without any correctly visable remarks about notify operation which not pass correctly.


Now I see next possible change to auditing changes in shadow: add some #defines for use in last (result) argument of audit_logger() (shuting: probably AUDIT_SUCCES, AUDIT_FAILED will be good). This can make this code better for faster undestanding what is performed in audit_logger() calling (without study libmisc/audit_help.c).

From libadit.h:

#define AUDIT_USER_AUTH         1100    /* User space authentication */ #define AUDIT_USER_ACCT         1101    /* User space acct change */ #define AUDIT_USER_MGMT         1102    /* User space acct management */ #define AUDIT_CRED_ACQ          1103    /* User space credential acquired */ #define AUDIT_CRED_DISP         1104    /* User space credential disposed */ #define AUDIT_USER_START        1105    /* User space session start */ #define AUDIT_USER_END          1106    /* User space session end */ #define AUDIT_USER_AVC          1107    /* User space avc message */ #define AUDIT_USER_CHAUTHTOK    1108    /* User space acct attr changed */ #define AUDIT_USER_ERR          1109    /* User space acct state err */ #define AUDIT_CRED_REFR         1110    /* User space credential refreshed */ #define AUDIT_USYS_CONFIG       1111    /* User space system config change */

On first look on this list loging all auditing records as
AUDIT_USER_CHAUTHTOK is incorrect.

Remember this is pamish. We may need a new message type for adding and deleting a user account or group. That make more sense to me.

Maybe I'm wrong but IMO AUDIT_USER_CHAUTHTOK is not good name. AUDIT_USER_CHAUTH_TOK probaly will better. Usualy on readin words we first see begin and end word/phrase (plain physiology). In this case better will be see AUDIT_*_TOK instead AUDIT_*OK :o)
This is why I was confused on code from chage.c :)


Probaly using "usedadd -D <other_options>" will be good report as
AUDIT_USYS_CONFIG (?).

This is for changes to the system config like hwclock that are mandated by the CAPP specification.

Succesfull changing account propertiees as
AUDIT_USER_ACCT (what about changing group properties ?).

I didn't see any properties other than adding a user to a group. This should be recorded from the user's perspective as changes to the account.

OK but name of AUDIT_* defines in libaudit.h not suggest that this can be used also for group(s) operations.


Probaly start/stop su, login, newgrp session will be good mark as
AUDIT_USER_START/AUDIT_USER_END (?).

Yes. I don't think newgrp has session start/end, but it probably should.

Look at newgrp.c on code PAM dependent (or "grep fork newgrp.c").

shadow package used in Fedora do not uses PAM abilities (all code is builded on code configured --without-libpam; IMO this is incorrect because this limit using this tools to only "files" NSS type databases).

Questions like above after spending more time will be probably much more.

Please cc me on these questions as I can help explain what was done. There is also an audit mail list just in case you are interested. www.redhat.com/mailman/listinfo/linux-audit. I'm cc'ing this to that mail list since it looks like I may have a few action items.

Hope this helps...

Probaly I'll try consult with you (directly or on list) any future changes in shadow related to auditing subsysytem (not all shadow commands have now auditing support).


kloczek
--
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek rudy mif pg gda pl*

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]