On Wednesday, March 12, 2014 09:18:14 AM Eric Paris wrote: > On Wed, 2014-03-12 at 08:55 -0400, Steve Grubb wrote: > > On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs wrote: > > > Add a netlink multicast socket with one group to kaudit for > > > "best-effort" > > > delivery to read-only userspace clients such as systemd, in addition to > > > the > > > existing bidirectional unicast auditd userspace client. > > > > One question...we do have to have the ability to separate of secadm_r and > > sysadm_r. By allowing this we will leak to a sysadmin that he is being > > audited by the security officer. In a lot of cases, they are one in the > > same person. But for others, they are not. I have a feeling this will > > cause problems for MLS systems. > > A good question. But easily solved in policy. Don't give > CAP_AUDIT_READ to sysadm_t if you don't want sysadm_t to be able to read > from the multicast socket.
That also means that we probably want an audit event for any successful and unsuccessful attempts to connect for _reading_ audit events. -Steve > As to what others who read from the journal I guess we can just make > sure it is a config option whether to collect or not. Most everyone > would want to collect, but some configs might obviously not. > > I'll roll around in the back of my head the ability for auditctl to > disable the multicasting, but CAP_AUDIT_READ takes care of that a whole > lot more nicely... -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
