Preferred subj= with multiple LSMs
Casey Schaufler
casey at schaufler-ca.com
Mon Jul 15 19:37:06 UTC 2019
On 7/15/2019 12:04 PM, Richard Guy Briggs wrote:
> On 2019-07-13 11:08, Steve Grubb wrote:
>> Hello,
>>
>> On Friday, July 12, 2019 12:33:55 PM EDT Casey Schaufler wrote:
>>> Which of these options would be preferred for audit records
>>> when there are multiple active security modules?
>> I'd like to start out with what is the underlying problem that results in
>> this? For example, we have pam. It has multiple modules each having a vote.
>> If a module votes no, then we need to know who voted no and maybe why. We
>> normally do not need to know who voted yes.
>>
>> So, in a stacked situation, shouldn't each module make its own event, if
>> required, just like pam? And then log the attributes as it knows them? Also,
>> what model is being used? Does first module voting no end access voting? Or
>> does each module get a vote even if one has already said no?
>>
>> Also, we try to keep LSM subsystems separated by record type numbers. So,
>> apparmour and selinux events are entirely different record numbers and
>> formats. Combining everything into one record is going to be problematic for
>> reporting.
> I was wrestling with the options below and was uncomfortable with all of
> them because none of them was guaranteed not to break existing parsers.
I too, am uncomfortable regarding record parsing.
> Steve's answer is the obvious one, ideally allocating a seperate range
> to each LSM with each message type having its own well defined format.
It doesn't address the issue of success records, or records
generated outside the security modules.
>
>> -Steve
>>
>>> I'm not asking
>>> if we should do it, I'm asking which of these options I should
>>> implement when I do do it. I've prototyped #1 and #2. #4 is a
>>> minor variant of #1 that is either better for compatibility or
>>> worse, depending on how you want to look at it. I understand
>>> that each of these offer challenges. If I've missed something
>>> obvious, I'd be delighted to consider #5.
>>>
>>> Thank you.
>>>
>>> Option 1:
>>>
>>> subj=selinux='x:y:z:s:c',apparmor='a'
>>>
>>> Option 2:
>>>
>>> subj=x:y:z:s:c subj=a
>>>
>>> Option 3:
>>>
>>> lsms=selinux,apparmor subj=x:y:z:s:c subj=a
>>>
>>> Option 4:
>>>
>>> subjs=selinux='x:y:z:s:c',apparmor='a'
>>>
>>> Option 5:
>>>
>>> Something else.
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list