Bug 461653
| Summary: | IPA: Include plaintext string data with audit log in new plugin | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Karl Wirth <kwirth> |
| Component: | audit | Assignee: | Steve Grubb <sgrubb> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.0 | CC: | lenny, pmoore, sgrubb |
| Target Milestone: | rc | Keywords: | Unconfirmed |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-06-03 20:49:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 840699 | ||
|
Description
Karl Wirth
2008-09-09 18:33:04 UTC
I'd like to add to (3) above - that on systems configured for MLS policy, the translation of the MLS part of the context to its human-readable form as defined by the mcstrans.conf definitions on that machine. Also, I second - the UID/GID translation would be very helpful. This bug is pretty old, and maybe the proposed fix Karl mentioned isn't the optimal way anymore. When I read it, I was really interested in getting the interpreted information into the events vice the numeric (UID/GID/AUID/etc). This would facilitate meaningful events on an aggregated machine. I've learned how to work around this problem in the intervening years, but would still be interested in having the ability.
UID/GID/AUID are all well-known. The part that might be unclear is the mcstrans part I described. An MLS policy is similar to MCS, except instead of one sensitivity level and multiple compartments, there are multiple SLs and multiple compartments.
The mcstransd interprets human-readable discrete labels into machine-readable and vice-versa.
Example setrans.conf entries:
Domain=Test
s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh
Base=Sensitivity Levels
s1=Unclassified
s1=U
s2:c200.c511=Restricted
s2:c200.c511=R
s3:c200.c511=Confidential
s3:c200.c511=C
s4:c200.c511=Secret
s4:c200.c511=S
s5:c200.c511=Top Secret
s5:c200.c511=TS
The audited events have only the bitwise representations; e.g.:
node=jcdx type=SYSCALL msg=audit(10/13/2015 11:40:58.454:62780) : arch=i386 syscall=socketcall(socket) success=no exit=-13(Permission denied) a0=1 a1=fff54c94 a2=5f79ff4 a3=fff54e5c items=0 ppid=9645 pid=9646 auid=root uid=json2jcdx gid=jcdx euid=json2jcdx suid=json2jcdx fsuid=json2jcdx egid=jcdx sgid=jcdx fsgid=jcdx tty=(none) ses=332 comm=json2jcdx exe=/opt/jcdx/libexec/json2jcdx subj=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 key=(null)
node=jcdx type=AVC msg=audit(10/13/2015 11:40:58.454:62780) : avc: denied { create } for pid=9646 comm=json2jcdx scontext=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 tcontext=system_u:system_r:jcdx_json_recv_t:s5:c0.c2,c11,c86,c200.c511 tclass=netlink_route_socket
This is not going into RHEL6 at this point. It is being worked on RHEL7 under rhbz 1127343. *** This bug has been marked as a duplicate of bug 1127343 *** |