Jamie Nguyen
dysco****@gmail*****
Tue Nov 30 00:11:51 JST 2010
TOMOYO
ForkTetsuo Handa wrote:
> I think logfile's names must be explicitly specified in the configuration file.
In the case that the user creates a new profile>=4 they must remember
to specify a log file name in /etc/ccs/auditd.conf, otherwise there
will be no log. However, I think I would agree with you that the log
file should only be written to if explicitly specified in
/etc/ccs/auditd, otherwise some unexpected behaviour might occur.
> OK. An audit log has three lines. What about sorting rules in
>
> fgrep match in the first line | fgrep match in in the second line | fgrep match in the third line | Destination pathname
>
> format? For example,
>
> # matches "granted=yes".
> granted=yes | * | * | /dev/null
> # matches "granted=no" && "profile=2" && "file read"
> profile=2 | * | "file read" | /var/log/tomoyo/profile_002.reject.file.read.log
> # matches "granted=no" && "profile=2" && "file write"
> profile=2 | * | "file write" | /var/log/tomoyo/profile_002.reject.file.write.log
> # matches "granted=no" && "profile=2" && !("file read" || "file write")
> profile=2 | * | * | /var/log/tomoyo/profile_002.reject.log
> # matches "granted=no" && domainnames start with "<kernel> /usr/sbin/httpd".
> * | <kernel> /usr/sbin/httpd | * | /var/log/tomoyo/apache.reject.log
>
> and an audit log like
>
> #2010-09-09 14:27:28# profile=2 mode=permissive granted=no (global-pid=3392) task={ pid=3392 ppid=3388 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=1626176 major=8 minor=1 perm=0644 type=file } path1.parent={ uid=0 gid=0 ino=1625571 perm=0755 }
> <kernel> /usr/sbin/httpd /bin/sh /usr/bin/id
> file read /usr/lib/locale/locale-archive
>
> is sent to /var/log/tomoyo/profile_002.reject.file.read.log and
>
> #2010-09-09 14:27:28# profile=1 mode=learning granted=no (global-pid=3392) task={ pid=3392 ppid=3388 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=1676438 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=1676072 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=linux" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }
> <kernel> /usr/sbin/httpd /bin/sh
> file execute /usr/bin/id
>
> is sent to /var/log/tomoyo/apache.reject.log .
This sounds great! For the "normal" user using just default profiles
and default /etc/ccs/auditd.conf, there is no change in usage or
workflow and everything will Just Work. For the "advanced" user, they
have the opportunity to use these sorting rules and may create custom
profiles and custom auditd sorting rules. Usage remains the same for
"normal" users, but made easier for "advanced" users :-)
> Somebody may want to specify rules like
>
> task.uid!=task.euid | * | * | /var/log/tomoyo/setuid.log
>
> but I don't want to implement it because it will make ccs-auditd as complicated
> as ccs-learningd.
I am happy with the sorting rules you describe above, without
implementation of task.uid .
> What is difficult with configuration file for ccs-learningd is that we need to
> deal "which conditions to pick up". This logic cannot be implemented right now.
>
> Meanwhile, I'd like to merge /proc/ccs/grant_log and /proc/ccs/reject_log into
> /proc/ccs/audit and implement ccs-auditd's sorting logic.
Users may change the name of the log file that profile=1 domains will
write to, and may also wish to run ccs-learningd for profiles other
than profile=1. Therefore there should perhaps be a line in
/etc/ccs/auditd.conf that ccs-learningd could source from to determine
location of the log file that it should read from. This would negate
the need for /etc/ccs/learningd.conf . In fact, I think the better
solution would be to have ccs-learningd require command line
arguments. ccs-learningd is unlikely to be a permanently running
daemon like ccs-auditd and so can be called when required, with option
to unlink if specified:
# ccs-learningd /var/log/tomoyo/profile_1.reject.log unlink
> Very helpful. I saw your project on sourceforge.net and understood that
> your suggestions come from your skillfulness with CUI environment.
Very glad to be of help :-)
Kind regards