On Thu, 2005-03-24 at 15:58 -0500, Chris Stankaitis wrote:
If there is no 2.4 kernel solution, is there a 2.6/selinux solution to my problem? that would not allow anyone (even root) to do anything but append to logs?
Yes, definitely. SELinux provides a fine-grained "append" permission for files that one can grant to specific domains for specific file types (such as log files).
How exactly you implement this depends on which threats you are trying to counter. If you are simply trying to prevent a compromised daemon program which runs as uid 0 from changing logs, you could probably stick with the default Fedora "targeted" policy, which for a number of daemons such as Apache HTTPD already enforces this restriction. If you have daemons outside the targeted set, it is typically not too difficult to pull in the relevant policy from the "strict" into targeted, although there are a few gotchas which we can help with on fedora-selinux-list.
In order to confine user logins (e.g. someone logging in as root via sshd), you will need to use the "strict" policy. You then have to make a decision on exactly what permissions to grant to the login. One option is to simply place root into the user_r role (i.e. not sysadm_r). There, the login is restricted in a way similar in effect to a Linux non-zero uid. However, system administration such as restarting daemons is not possible.
It is theoretically possible to have a role similar to sysadm_r/sysadm_t but that prevents direct access to log files. However, it seems very likely to me that someone with privileges similar to sysadm_t could indirectly influence log files in other ways; e.g. by simply installing a malicious version of a daemon package. I imagine the same is true of the BSD securitylevel, of course.
One nice thing about SELinux though is that you can use a tool such as "apol" to find all of those means of influence; i.e. what is the information flow from user_t to httpd_log_t. With BSD security levels you don't have any such assurance.
If you have more questions about SELinux, please ask on fedora-selinux-list.
Esentially as I mentioned what we need to create is a centralized logging server where all our boxes will log to, which in itself is setup in a way so that even root can not modify the logs without it being painfully obvious that the server had been compromised. We would be turning off logrotate, the box would be a minimal install, with it's only function to run a logger which would write local messages, as well as take in the logs from all other servers.
The issue comes when you have to try and restrict root from doing something :) I'll pop onto the selinux list and start getting better aquainted with the in's and out's of selinux and the functions which could let us acomplish this.
--Chris
