Hi,
Attached is the design proposal for the audit failure action project.
Please review it and send me any comments.
Thanks,
Lisa
This is the design proposal for the audit failure project
Author: Lisa Smith
Version 1.1
April 28, 2006
Problem
-------
Currently, each service and application is responsible for determining
the action to take when the audit subsystem is unavailable (stop the
service, halt the system, continue on, etc). It is not ideal to
require all application developers to determine the appropriate action
to take and to incorporate this into the application. Different
customers may want different actions taken, and this flexibility is
not possible if the action is hard-coded into the application.
Note that this project does not extend the kernel space audit failure
functionality specified by the audit_failure global variable. This
is an audit failure configurable for user space, used when the
functions audit_open() or audit_send_user_message() return an error.
Current applications, such as cups, ignore errors returned
by audit_open() or audit_send_user_message() and simply continue
executing.
Design Overview
---------------
The solution to this problem would be most flexible and give
administrators the most control if the action were determined by
information in a configuration file specified by the application.
The configuration file will be read by two new wrapper functions
that call the two entry points into the audit subsystem.
Two wrapper functions will be created to call audit_open() and
audit_send_user_message(). Each wrapper funciton will process the return
value from the audit calls and perform the appropriate action if the
audit function returns failure.
The wrapper functions will determine what action to take in the
case of audit failure based on a configuration file stored in
/etc/audit.d/fail. Each application that wants to perform a specific
action on audit failure will call the new wrapper function passing in
the name of the configuration file that it would like to use. The
directory and default configuration file are owned by the audit
package. Any additional override files will be owned installed by
the application to which they are associated.
The wrapper functions will live in libaudit and any services and
applications that would like to use this functionality would need
to call the respective wrapper function in place of audit_open() and
audit_send_user_message().
Current known services/apps that could use this feature:
cups
device manager
Actions allowed:
Halt system
Drop to single user mode
Stop the service/application
Continue on as normal
Run a command or script (i.e. page someone)
New functions
-------------
All functions will live in libaudit.
int audit_send_user_message_check_failure (int fd, int type,
hide_t hide_error, const char *message, char *config_file)
This function will call audit_send_user_message() with the parameters
passed in, other than the config_file parameter. The return value
from audit_send_user_message() will be checked and appropriate
action will be taken if a value < 0 is returned. The action will be
determined by the contents of the file specified in the config_file
parameter.
int audit_open_check_failure(char *config_file)
This function will call audit_open() with no parameters. The fd
returned from audit_open() will be checked and appropriate action
will be taken if a value < 0 is returned. The action will be
determined by the contents of the file specified in the config_file
parameter.
Configuration directory and layout
----------------------------------
All configuration files are located in /etc/audit.d/fail. Files are
text.
/etc/audit.d/fail # ls
cups
devmgr
default
Sample config file
------------------
# configuration file for cups to determine action to take when call
# to audit subsystem fails.
command:/sbin/service cups stop
# Other possible actions:
# action:continue --> application/service continues on
# action:single --> bring down to single-user mode
# command:/sbin/shutdown -h now --> shutdown the system
# command:/usr/bin/pageadmin.ksh --> run a script to page someone
--
redhat-lspp mailing list
[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-lspp
