On Monday, January 6, 2020 8:47:33 PM EST Paul Moore wrote: > On Sun, Jan 5, 2020 at 10:22 AM Steve Grubb <sgr...@redhat.com> wrote: > > Common Criteria calls out for any action that modifies the audit trail to > > be recorded. That usually is interpreted to mean insertion or removal of > > rules. It is not required to log modification of the inode information > > since the watch is still in effect. Additionally, if the rule is a never > > rule and the underlying file is one they do not want events for, they > > get an event for this bookkeeping update against their wishes. > > > > Since no device/inode info is logged at insertion and no device/inode > > information is logged on update, there is nothing meaningful being > > communicated to the admin by the CONFIG_CHANGE updated_rules event. One > > can assume that the rule was not "modified" because it is still watching > > the intended target. If the device or inode cannot be resolved, then > > audit_panic is called which is sufficient. > > > > I think the correct resolution is to drop logging config_update events > > since the watch is still in effect but just on another unknown inode. > > Either this patch is the correct resolution or it isn't, the > description should state that clearly. If you are unsure we can > discuss it, but it sounds like you are certain that this record isn't > needed here, yes?
It's not needed based on the rationale above and it's irritating some people because of that. -Steve > > Signed-off-by: Steve Grubb <sgr...@redhat.com> > > --- > > > > kernel/audit_watch.c | 2 -- > > 1 file changed, 2 deletions(-) > > > > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c > > index 4508d5e0cf69..8a8fd732ff6d 100644 > > --- a/kernel/audit_watch.c > > +++ b/kernel/audit_watch.c > > @@ -302,8 +302,6 @@ static void audit_update_watch(struct audit_parent > > *parent,> > > if (oentry->rule.exe) > > > > audit_remove_mark(oentry->rule.exe); > > > > - audit_watch_log_rule_change(r, owatch, > > "updated_rules"); - > > > > call_rcu(&oentry->rcu, audit_free_rule_rcu); > > > > } -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit