Problem meeting FAU_SEL with trusted programs
Matt Anderson
mra at hp.com
Mon Feb 13 17:54:39 UTC 2006
After posting my patch last week I got some feedback about a problem
with FAU_SEL.1 Selectable Audit and FAU_SAR.3 Selectable Audit Review.
Since cups is generating audit messages on behalf of the user the uid
and auid fields in the record are those of cupsd and not the user who
submitted the print job.
type=USER_LABELED_EXPORT msg=audit(1139496671.166:828):
user pid=20396 uid=0 auid=4294967295
msg='job=21 user="mra" printer="localp" with labels "secret" "secret":
exe="/usr/sbin/cupsd" (hostname=orb.zko.hp.com, addr=16.116.96.203,
terminal=pts/1 res=success)'
Even if the audit message string was changed to include 'uid=500' there
would still be a discrepancy between the various fields of the record.
I mentioned this on #audit and Steve said he could add the ability to
ausearch to look for the uid= substring in the message, but I'm not sure
that meets the first requirement.
If we have two uid and auid fields in all of these trusted program
generated messages is it always the one in the message string that is
correct? Does ausearch always have to look into the message string to
see if there is a (a)uid there to match on? Can a trusted program be
trusted to pass in the auid and uid to audit? If it can then there
would be only one uid and auid in the record, do we need the
identification information about the trusted program which passed this
data to the kernel?
It seems like other trusted programs (at least cron) will also have this
problem of a server generating messages on behalf of a user and needing
to pass audit records into the kernel with that user's information.
Don't we need an audit interface to support that?
-matt
More information about the Linux-audit
mailing list