[EMAIL PROTECTED] wrote:
On Fri, 15 Sep 2006 15:36:49 EDT, Steve Grubb said:
On Friday 15 September 2006 15:28, Stephen Smalley wrote:
Are you sure? Â What do you want to audit?
newrole -r typoinrolename ?
newrole -r sysadm_r for user not authorized for that role?
any error exit path out of newrole?
The first two cases look exactly identical to newrole btw - it just gets
an error from security_check_context() telling it that the context
wasn't valid, not why.
I think we only need to say that the result was a failure. We do not need to
say why it failed.
I'm currently working on newrole in Janak's stead, and it seems to me
that the only place it would make sense to report a failure is when the
new context's validation check fails.
Does it make sense to just log what information we *do* know, and hope there's
enough for a human to tell what happened? Or does this run into the same sort
of data-disclosure issues that logging the userid on invalid password attempts
has (namely, that if the user has gotten "out of sync", they may type their
password in response to the Userid: prompt and cause it to be logged in
cleartext). Or should security_check_context() return a more featureful
return code in case of an error?
Before the user has authenticated, the only point of failure which is
policy related is obtaining the default type for a role if the type is
left unspecified. I do not see this as an error worthy of auditing,
since I frequently mistype my intended role.
After authentication, the new context's validation check occurs, and I
feel that this is the first point where auditing becomes reasonable.
After this check, almost all subsequent points of failure are due to
errors I would consider to be unexpected (e.g. ENOMEM), although some
are due to relabeling the tty, which can fail in enforcing mode. We
already have AVC messages which handle this, but should this failure be
audited?
In short, I would recommend add auditing if the new context's validation
check fails, and retain the auditing of success as it is now. Would this
logging the failed attempt post-authentication sufficient?
Thanks,
Mike
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
