Closed rgbriggs closed 6 years ago
pcmoore
commented
7 years ago Is it possible to change the interface promiscuity without a syscall? I know that the interface can change promiscuity indirectly (I believe bridging and/or some other interface layering can have that effect), but all of those configuration changes should be attached to a syscall, yes?
rgbriggs
commented
7 years ago As far as I know, promiscuity will drop when device link goes down, independent of userspace directives. Regardless, I think there is a more general problem that we want records to be tied to syscalls when they exist, but still want a record when it is a kernel thread and still need enough information to figure that out, particularly when it is a system configuration change.
pcmoore
commented
6 years ago In my opinion the proper behavior would be to tie the record with the associated SYSCALL record whenever possible.
rgbriggs
commented
6 years ago So given the situation, nothing should be changed, since it is already associated with a syscall due to using the current->audit_context and fields can't be changed other than to append, leaving auid, uid, gid and ses duplicating those in the syscall record.
The ANOM_PROMISCUOUS record is declared with context included, attaching itself to a SYSCALL record, but it already includes some subject attributes.
Should this be an autonomous record or should it be accompanying a SYSCALL record?
Recommend either removing the subject attributes from the ANOM_PROMISCUOUS, or (preferably) making them more complete and not adding a context reference to the audit_log... call.
note: net/core/dev.c:__dev_set_promiscuity()