[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Relying on syscall record for information and useless key/value duplication

On Wednesday, January 11, 2012 04:10:16 PM Eric Paris wrote:
> So I realized today that we have overlapping information in records and
> I don't like it.

I have a real strong feeling that you did it. :-)  I'm not searching the 
archives for proof...but I remember it went something like this...we needed a 
MAC event showing it changed. We needed some basic info. Then later we needed 
some more info and then someone just changed it to dump the syscall record. In 
many cases, this is bloat.

What is required is much less fields and I would like to keep the overall event 
size as small as possible. Do I need a MAC_STATUS event?  Yes. Do I need to know 
the syscall? no.

> A great example would be the MAC_STATUS record and how
> you can get duplicate info.  Looking at that following output.
> type=MAC_STATUS msg=audit(1326314451.473:1018): enforcing=0 old_enforcing=1
> auid=4166 ses=2 type=SYSCALL msg=audit(1326314451.473:1018): arch=c000003e
> syscall=1 success=yes exit=1 a0=3 a1=7fffc73e1200 a2=1 a3=0 items=0
> ppid=3110 pid=21435 auid=4166 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts3 ses=2 comm="setenforce" exe="/usr/sbin/setenforce"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> What you see is that the MAC_STATUS record tells us more than about the
> mac status.  It also includes the auid and ses.  Why only that info?

What is required is this:
Date and time of the event, 
type of event, 
subject identity (if applicable), 
the outcome (success or failure) of the event
and additional data depending on the event, like what configuration item changed 
(with old and new values), what was accessed, etc.

We have additional requirements of being able to trace each event back to an 
actual login hence the session data. Then you also have to record enough 
information about the subject that its useful. This includes at a minimum auid, 
uid, pid, and selinux context.

> Why not other info like the SELinux context? 

I think when we asked for that, you added a line of code to grab the whole 
syscall since that was the simplest thing to do. :-)

> What really bothers me is that We already get that info (and a lot more info)
> in the SYSCALL record.  I believe this is bogus.  What I'd like to do is to
> create a new record called the 'TASK_INFO' record that will contain:
> ppid pid auid uid gid euid suid fsuid egid sgid fsgid tty ses comm exe
> subj

Probably too much info and too late. I have a feeling that a change like this 
now would cause more problems than its worth.

I want to aim the audit system such that it can meet the new basic robustness 
protection profile. Meeting it would also allow meeting any other PP that I know 
of. It will require reviewing all audit records to make sure they conform to the 
new requirements.


I'd really like to avoid any massive changes in record format until that work 
begins in earnest later this year. I want to create some regression testing 
tools in the mean time so that as we move forward, we can stay backwards 
compatible. Imagine an aggregating server with several different Linux platforms 
being aggregated and still being able to use the current tools. It has to be 

Please, let's not go down this rat hole just yet. I'd rather catch up on the 
known bugs in the audit system like 


then around summer/late spring start working towards GPOSPP's requirements and 
possibly reformat some events as part of that work.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]