Bug 1097314
| Summary: | [Atomic] Create /var/lib/audit in package or via systemd tmpfiles | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Colin Walters <walters> | ||||
| Component: | audit | Assignee: | Steve Grubb <sgrubb> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | dwalsh, ljozsa, sgrubb | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1155820 (view as bug list) | Environment: | |||||
| Last Closed: | 2015-01-16 00:01:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1147383, 1155820 | ||||||
| Attachments: |
|
||||||
|
Description
Colin Walters
2014-05-13 14:35:56 UTC
That sounds like a security issue. We need to have lastlog, btmp, utmp, and audit logs persistent. Unused accounts are detected via lastlog so that they can be locked after a time out. We also have requirements to display the number of bad login attempts since the last successful login as well as the last login. These files are all kept in /var. Are they being persisted somewhere and copied back? Audit should be in the same boat because of forensic information it gathers. We can handle 1 with SELinux without any change. By simply having a transition rule on auditd_t creating the audit directory in a directory labeled var_log_t. commit fbb839977ad1857f3d6499eb609d73326479ee91 Adds these rules to SELinux Policy. Steve this is only for initial boot. These files would get created on first boot and then would persist. Yep, /var is persistent. In the OSTree model by default it's a bind mount out of the root to a regular directory, but I'll likely support in the future having it be a mount point itself. This bug is just about how the directories get created. The feature that doing it on boot enables is you *can* choose to rm /var/* -rf and reboot to get a "factory reset". What about /var/lib/systemd/random-seed? Its needed so that entropy generated during install is preserved so that sshd does not generate the same or similar keys as any other server would. Wrt to auditd, there have been questions about its order in the past (mostly around not being early enough). I was hoping to work out the boot sequence during common criteria. It should be started after all disks are mounted because it may have rules for those paths but before most daemons so that it catches any AVC or system modification that a daemon could make. When I say /var starts out empty, it is a bit of a lie =) In practice right now I precreate /var/log/journal for example, since otherwise there's a messy bootstrapping problem between journald and systemd-tmpfiles. As to your specific question about /var/lib/systemd/random-seed: If you install via Anaconda, it'll be there on first boot. Hi, any objections to this patch? I honestly don't know what systemd does under the hood and can't make any judgment about the patch one way or another. The main thing audit needs is to start at the first chance so that it records service start ups or any AVCs caused on boot. Pushed into upstream commit 967. audit-2.3.8-0.2.svn20140803 was pushed to rawhide and f21 a couple days ago. Please let me know if anything else needs to be done. This is fixed. |