From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: [PATCH 7/7] audit: audit feature to set loginuid immutable
Date: Wed, 10 Jul 2013 09:32:05 -0500
Message-ID: <51DD7065.8080206@magitekltd.com>
References: <1369411910-13777-1-git-send-email-eparis@redhat.com>
	<1453848.WlUzMfBVNC@x2> <51DCA20F.6020309@magitekltd.com>
	<1768498.01aSW39qOl@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com
	[10.5.110.21])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id r6AEWMmL002630
	for <linux-audit@redhat.com>; Wed, 10 Jul 2013 10:32:22 -0400
Received: from mail-oa0-f42.google.com (mail-oa0-f42.google.com
	[209.85.219.42])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r6AEW7lU026365
	for <linux-audit@redhat.com>; Wed, 10 Jul 2013 10:32:08 -0400
Received: by mail-oa0-f42.google.com with SMTP id j6so9829852oag.29
	for <linux-audit@redhat.com>; Wed, 10 Jul 2013 07:32:07 -0700 (PDT)
In-Reply-To: <1768498.01aSW39qOl@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 07/10/2013 08:46 AM, Steve Grubb wrote:
>
> Currently its a compile time option. This means when its selected the auid is 
> immutable and you have a strong assurance argument that any action by the 
> subject really is the subject's account. Strong assurance may be required for 
> high assurance deployments. It would be more solid standing up in court as 
> well because the argument can be made that whatever action occurred can be 
> attributed to the subject because there is no way to change it. Its tamper-
> proof.
That was my understanding.
>
> The change means the default policy will now allow process with 
> CAP_AUDIT_CONTROL to change the auid to anything at anytime and then perform 
> actions which would be attributed to another user. There is an event logged on 
> setting the loginuid, so it could be considered tamper-evident. At least as 
> long as the event's not filtered or erased.
This sounds dangerous. Why would we want to allow this?
>
> My preference is that we have a way that we can put the system into the 
> immutable mode in a way that leaves no doubts about whether the system has 
> operated under the same policy from beginning to end.
That is a better way.

>>From an end user perspective I can tell you that although we strive to
be diligent, the reality of reduced budgets and multi-tasking security
managers means that tamper-proof (at least as a near-to-mid-term goal)
is desired over tamper-evident.
Even if the event is not erased or filtered it means another requirement
levied on a person which I do not believe existed before.

Thanks for the info, Steve. I appreciate it!
LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com