On Thu, 2022-01-06 at 20:09 +0000, Zbigniew Jędrzejewski-Szmek wrote: > On Thu, Jan 06, 2022 at 01:55:50PM -0500, Steve Grubb wrote: > > Hello, > > > > On Thursday, January 6, 2022 1:02:36 PM EST Zbigniew Jędrzejewski-Szmek > > wrote: > > > On Thu, Jan 06, 2022 at 08:48:52AM -0800, Adam Williamson wrote: > > > > On Thu, 2022-01-06 at 16:16 +0000, Zbigniew Jędrzejewski-Szmek wrote: > > > > > I know that you said that the scripts are needed because of "magic > > > > > stuff™" that the scripts do, but sorry, that's not a justification: > > > > It is the justification. The audit system has regulatory requirements > > imposed > > on it. This is required by common criteria and subsequently depended on for > > PCI-DSS, CIS, DISA STIG, NIST risk management framework, and many other > > security or regulatory schemes. > > > > > > > > > *everything* that can be done using a shell script can also be > > > > > reimplemented independently. Right now audit pulls in the whole > > > > > initscripts stack, this should all be replaced by some small helper. > > > > I moved it to initscripts-service in rawhide. > > > > > > > (Maybe a separate binary, or a small shell script, or maybe something > > > > > in auditctl…. I don't know because I don't know audit.)> > > > > It would be better if there was a systemctl solution. Any solution I > > implement will be met with you need to migrate to systemctl. There have > > been > > multiple bz opened and closed on this. > > > > > > As I understand the bug, it's not a question of whether the thing can > > > > be done, but whether it can be known *who did it*. > > > > Exactly. And "who" means login uid, pid, and their security label. You can > > only get this if the signal is sent from the user's context. > > > > > There is no magic functionality in the kernel that specifically records > > > that something was executed by some specific script. > > > > There actually is magic in the kernel that records who sent a signal to the > > audit daemon and the necessary atributes. This functionality has been > > there > > since at least 2005. It's not new. > > Right, so is /usr/bin/stop-audit with the following contents the solution: > --------------- > #!/bin/sh > set -e > exec kill $(systemctl show -P MainPID auditd) > --------------- > ?
I do not believe this is currently usable for audit because the information on who requested to kill the process is lost this way. In terms of audit you can audit that user XYZ ran /usr/bin/stop-audit, however the process that actually then kills the audit daemon will not have the magic markers in the kernel side and will instead be the systemd process. This breaks the audit log chain, as there is no way to audit that systemd is operating on behalf of that user. The audit trail chain is broken by the systemcl -> systemd jump. This is the problem that need to be solved to get rid of audit's use of shell scripts that directly perform operations wrt the kernel. I wonder if another option is to have the audit code in the kernel intercept systemcl messages sent to systemd and interpret the commands and log what they are asking ... Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure