Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build audit tools and apply rules at boot #724

Merged
merged 2 commits into from
Feb 12, 2020
Merged

build audit tools and apply rules at boot #724

merged 2 commits into from
Feb 12, 2020

Conversation

bcressey
Copy link
Contributor

Issue #, if available:
N/A

Description of changes:
Builds auditctl and adds a service to load a minimal set of rules at boot, so that we log SELinux messages like AVC denials and nothing else.

Testing done:
On a system built with these changes, these messages are logged.

[    0.088446] audit: disabled (until reboot)
[    0.866018] systemd[1]: Condition check resulted in Journal Audit Socket being skipped.
[    0.887849] systemd[1]: Condition check resulted in Load audit rules being skipped.

On a system built with SELinux enabled, these messages are logged:

[    0.272676] audit: initializing netlink subsys (disabled)
[    1.002125] systemd[1]: Listening on Journal Audit Socket.
[    1.025314] systemd[1]: Starting Load audit rules...
[    1.075082] systemd[1]: Started Load audit rules.

AVC denials are still logged:

# auditctl -l
-a never,user
-a never,task
-a never,exit -S all
-a always,exclude -F msgtype<AVC
-a always,exclude -F msgtype>1499

# touch /proc/1/attr/current
[  813.964886] audit: type=1400 audit(1581529366.095:3): avc:  denied  { write } for  pid=3247 comm="touch" name="current" dev="proc" ino=9365 scon1

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@bcressey
build libaudit
4f223bb 
This is a minimal build of audit that gives us `auditctl` and the
libraries it needs to parse and apply rules.

In place of `auditd`, we have a service that loads a set of rules
so that only SELinux events are logged. This configuration can be
replaced by a suitably privileged container if necessary.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
@bcressey
release: add dependency on audit
b6c23d0 
If the audit subsystem is not explicitly disabled with "audit=0" on
the kernel command line, it will be enabled by journald but left in
an unconfigured state. Various events such as iptables changes will
then be logged, and the performance cost can be significant.

Our audit package contains a service to load audit rules at boot.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
tjkirch
tjkirch approved these changes Feb 12, 2020
View reviewed changes
Copy link
Contributor

@tjkirch tjkirch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know what you're doing, but the packaging looks fine. It'd be good to have some training about SELinux, audit, and friends.

@bcressey bcressey merged commit 70a8415 into develop Feb 12, 2020
@bcressey bcressey deleted the audit branch February 12, 2020 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjkirch tjkirch tjkirch approved these changes

@iliana iliana iliana approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@bcressey @tjkirch @iliana