SELinux for auditing

[Matthew Booth]

I have a couple of requirements which on the face of it don't seem
simple to achieve with auditctl. These are:

* Audit changes to executables
* Audit changes to configuration files

I'll concentrate on the former as it's more obviously problematic. I
believe this would require putting a watch explicitly on every
executable in the system. If this isn't correct, please correct me and
this problem goes away. Assuming it is, though, I don't believe this is
a practical solution.

It occurs to me that this might be more easily achieved with SELinux. As
a test, I made the following small change to the unconfined domain of
the RHEL 4 targeted policy macros/global_macros.te:

define(`executable_files', `{ exec_type sbin_t bin_t lib_t shlib_t
ld_so_t }')

#allow $1 file_type:dir_file_class_set *;
allow $1 file_type:dir_file_class_set ~execute;
allow $1 executable_files:dir_file_class_set *;

auditallow $1 executable_files:dir_file_class_set { create write rename
setattr append relabelfrom };

This does 2 things. Firstly it enforces that the system won't execute
files which aren't labelled with an executable type. This is really just
to make sure everything is caught by the second rule, which is to audit
changes to executables. To make this thorough, you'd have to go through
everywhere else execute is granted in other domains.

However, I'm worried I might be stepping outside design intentions. Is
the above a good idea? Is using SELinux for writing auditing rules a
good idea in general? uIs there a better way to achieve this and similar
requirements which affect a potentially large class of file?

Thanks,

Matt
-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070131/36bc0a4f/attachment.htm>