[RFC 1/1] NetLabel: add audit support for configuration changes

Paul Moore paul.moore at hp.com
Wed Sep 27 13:21:48 UTC 2006


On Tuesday 26 September 2006 5:46 pm, Linda Knippers wrote:
> paul.moore at hp.com wrote:
> > This patch is a first attempt at adding auditing support to NetLabel,
> > based on a conversation with Steve Grubb on irc last Friday (9/22).  I
> > wanted to send this out to the audit mailing list first to get some
> > feedback on such things as message types and message formats.  Once I
> > have collected your feedback I plan on posting the next version of the
> > patch to both the netdev and audit mailing lists for inclusion in 2.6.19.
> >
> > So please, if you have comments/concerns/etc. please share them now so
> > this does not get help up later - thank you.
>
> It might be helpful if you also mailed out some examples of the audit
> records generated by this code.

Sheesh, isn't that what the code is for :)

Anyway, here are all of the audit messages along with some actions that will 
cause them to be triggered.  I tried to model the message format off a 
combination of SELinux AVC and syscall messages.  Bear in mind that the 
message type appears as unknown because the audit daemon does not yet know 
about the new message types.  Once again, comments are welcome.

 # netlabelctl unlbl accept on

type=UNKNOWN[1406] msg=audit(1159362394.806:420): netlabel: module=unlbl 
action=accept auid=0 uid=0 euid=0 tty=pts0 pid=6711 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl"

 (there is also an audit message for "unlbl accept off" which changes
  "action=accept" to "action=deny")

 # netlabelctl cipsov4 add std doi:1 tags:1 levels:0=0 categories:0=0

type=UNKNOWN[1408] msg=audit(1159362224.120:416): netlabel: module=cipsov4 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6690 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" doi=1 type=std

 # netlabelctl cipsov4 add pass doi:1 tags:1

type=UNKNOWN[1408] msg=audit(1159362287.820:418): netlabel: module=cipsov4 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6698 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" doi=2 type=pass

 # netlabelctl cipsov4 del doi:2

type=UNKNOWN[1409] msg=audit(1159362325.202:419): netlabel: module=cipsov4 
action=del auid=0 uid=0 euid=0 tty=pts0 pid=6703 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" doi=2

 # netlabelctl map add domain:foo_t protocol:cipsov4,1

type=UNKNOWN[1410] msg=audit(1159362514.990:421): netlabel: module=map 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6722 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" domain=foo_t protocol=cipsov4 doi=1

 # netlabelctl map add domain:bar_t protocol:unlbl

type=UNKNOWN[1410] msg=audit(1159362574.457:424): netlabel: module=map 
action=add auid=0 uid=0 euid=0 tty=pts0 pid=6734 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" domain=bar_t protocol=unlbl

 # netlabelctl map del domain:bar_t

type=UNKNOWN[1411] msg=audit(1159362627.789:425): netlabel: module=map 
action=del auid=0 uid=0 euid=0 tty=pts0 pid=6740 comm="netlabelctl"  
exe="/usr/local/sbin/netlabelctl" domain=bar_t

 (when operating on the default mapping the "domain=<domain string>" is
  replaced with "domain=(default)")

-- 
paul moore
linux security @ hp




More information about the Linux-audit mailing list