linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

RFE: MAC_CONFIG_CHANGE record cleanup #61

Closed stevegrubb closed 7 years ago

stevegrubb commented 7 years ago

This event should be a simple record with the following fields: pid, uid, auid, tty, session, context, comm, exe (in this order) + old value + new value if applicable.

pcmoore commented 7 years ago

This is closely related to #62.

For reference, here is the current MAC_CONFIG_CHANGE record:

# ausearch -m MAC_CONFIG_CHANGE
time->Tue Aug 15 09:25:16 2017
type=PROCTITLE msg=audit(1502803516.009:263585): proctitle=...
type=SYSCALL msg=audit(1502803516.009:263585): arch=c000003e syscall=1 success=yes
  exit=2 a0=3 a1=7ffd416a855e a2=2 a3=0 items=0 ppid=2055 pid=2123 auid=0 uid=0 gid=0
  euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setsebool"
  exe="/usr/sbin/setsebool"
  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=MAC_CONFIG_CHANGE msg=audit(1502803516.009:263585): bool=domain_fd_use val=0 
  old_val=1 auid=0 ses=1

Similar questions as in #62, would you prefer to see the information duplicated across records in the same event or are you happy with the information present in the SYSCALL record?

stevegrubb commented 7 years ago

I always run with audit=1 on boot prompt and the full STIG setup. The STIG rules is what the majority of the people use and its how we should all be testing. There should not need to be a syscall record since this is not needing to be a compound event and sometimes the SYSCALL record is not there. The minimal required information should be in the MAC_CONFIG_CHANGE record.

pcmoore commented 7 years ago

Ungh, the same response @stevegrubb? At least you made sure to change the record name ;)

I'm just going to refer you to my previous comment in https://github.com/linux-audit/audit-kernel/issues/60#issuecomment-323099134, it applies here as well.

stevegrubb commented 7 years ago

This appears to be fixed by https://github.com/linux-audit/audit-kernel/issues/66