* [RFC] audit.spec: create audit group for log read access
@ 2021-01-20 17:52 Enzo Matsumiya
2021-01-20 18:16 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Enzo Matsumiya @ 2021-01-20 17:52 UTC (permalink / raw)
To: linux-audit
Hi,
We (SUSE) would like to introduce an "audit" group for log read access.
This would be handled only by patching the .spec file to create the
group and modify the permissions of the default log dir/file to:
drwxr-x--- 1 root audit 322 25. Okt 21:06 /var/log/audit/
-rw-r----- 1 root audit 1815972 26. Okt 22:23 /var/log/audit/audit.log
No source code modifications are required, as log_group_parser() should
handle invalid entries.
If an enforcement or warning is required for when log_group is not
using the default "audit" group, it should be easy to do as well.
For those wondering, Common Criteria seems to be fine with this
modification.
Excerpt from SUSE's CC certification (RH's seems to match):
---- begin ----
6.2.1.4 Restricted audit review (FAU_SAR.2)
FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except those
users that have been granted explicit read-access.
Application Note: The protection of the audit records is based on the Unix permission bit
settings defined by FDP_ACC.1(PSO) supported by FDP_ACF.1(PSO).
---- end ----
Please let me know of your concerns, if any.
I have a working patch that I can submit right away in case this gets an
ok.
Cheers,
Enzo
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] audit.spec: create audit group for log read access
2021-01-20 17:52 [RFC] audit.spec: create audit group for log read access Enzo Matsumiya
@ 2021-01-20 18:16 ` Steve Grubb
2021-01-20 21:39 ` Enzo Matsumiya
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2021-01-20 18:16 UTC (permalink / raw)
To: linux-audit, Enzo Matsumiya
Hello,
On Wednesday, January 20, 2021 12:52:24 PM EST Enzo Matsumiya wrote:
> We (SUSE) would like to introduce an "audit" group for log read access.
>
> This would be handled only by patching the .spec file to create the
> group and modify the permissions of the default log dir/file to:
>
> drwxr-x--- 1 root audit 322 25. Okt 21:06 /var/log/audit/
> -rw-r----- 1 root audit 1815972 26. Okt 22:23 /var/log/audit/audit.log
>
> No source code modifications are required, as log_group_parser() should
> handle invalid entries.
>
> If an enforcement or warning is required for when log_group is not
> using the default "audit" group, it should be easy to do as well.
>
> For those wondering, Common Criteria seems to be fine with this
> modification.
>
> Excerpt from SUSE's CC certification (RH's seems to match):
>
> ---- begin ----
> 6.2.1.4 Restricted audit review (FAU_SAR.2)
>
> FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit
> records, except those users that have been granted explicit read-access.
>
> Application Note: The protection of the audit records is based on the Unix
> permission bit settings defined by FDP_ACC.1(PSO) supported by
> FDP_ACF.1(PSO).
> ---- end ----
>
> Please let me know of your concerns, if any.
This might go against the DISA STIG, but otherwise this is using the audit
system as intended.
> I have a working patch that I can submit right away in case this gets an
> ok.
I consider the audit.spec file to be an example to help others with packaging.
But I'm not entirely sure if it's 100% in sync with Fedora since they make
arbitrary policy changes like removing gcc and make from the build root which
then causes specfile updates. If you want to submit a patch, feel free. I
would apply it as an example to others.
Best Regards,
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] audit.spec: create audit group for log read access
2021-01-20 18:16 ` Steve Grubb
@ 2021-01-20 21:39 ` Enzo Matsumiya
2021-01-20 23:15 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Enzo Matsumiya @ 2021-01-20 21:39 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On 01/20, Steve Grubb wrote:
>This might go against the DISA STIG, but otherwise this is using the audit
>system as intended.
Ah yes, you're right. I checked and it seems so for RH, but not for SUSE.
Good catch, though.
>I consider the audit.spec file to be an example to help others with packaging.
>But I'm not entirely sure if it's 100% in sync with Fedora since they make
>arbitrary policy changes like removing gcc and make from the build root which
>then causes specfile updates. If you want to submit a patch, feel free. I
>would apply it as an example to others.
Thanks. We also have some modifications to the specfile.
So what I'm getting from your reply is it's up to the OS vendor to provide,
or not, such modification -- i.e. it's more of a general OS problem than audit's
problem. Is that correct?
>Best Regards,
>-Steve
Cheers,
Enzo
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] audit.spec: create audit group for log read access
2021-01-20 21:39 ` Enzo Matsumiya
@ 2021-01-20 23:15 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2021-01-20 23:15 UTC (permalink / raw)
To: Enzo Matsumiya; +Cc: linux-audit
On Wednesday, January 20, 2021 4:39:11 PM EST Enzo Matsumiya wrote:
> >I consider the audit.spec file to be an example to help others with
> >packaging. But I'm not entirely sure if it's 100% in sync with Fedora
> >since they make arbitrary policy changes like removing gcc and make from
> >the build root which then causes specfile updates. If you want to submit
> >a patch, feel free. I would apply it as an example to others.
>
> Thanks. We also have some modifications to the specfile.
>
> So what I'm getting from your reply is it's up to the OS vendor to provide,
> or not, such modification -- i.e. it's more of a general OS problem than
> audit's problem. Is that correct?
I consider it to be an end user choice. Because if you set the log_group, you
may need to do a chgrp command to get your logs in order. And I don't know
who should get access. Would it be wheel or a special audit-view group? To
me, it just seems like any choice I make may not work for everyone.
But you're welcome to send a patch if you want.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-20 23:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-20 17:52 [RFC] audit.spec: create audit group for log read access Enzo Matsumiya
2021-01-20 18:16 ` Steve Grubb
2021-01-20 21:39 ` Enzo Matsumiya
2021-01-20 23:15 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.