On Thu, 2022-01-06 at 22:17 +0000, Zbigniew Jędrzejewski-Szmek wrote: > Since auditd is started by systemd, you just _have_ to trust systemd. > If control over the manager is lost, the manager can just do anything > it wants, masquerading as any user. So the logging provided by recording > of the direct signal is only a "good will" effort, fairly easy to spoof > if you've actually gained some inappropriate privileges. The logging > that systemd does is effectively just as trustworthy as the audit log > as long as the system integrity is maintained. I think this is really a key point TBH. Auditd trusts the kernel to behave correctly, and I think all problems could be solved by also trusting systemd-init to provide correct info. At the point auditd would simply trust the uids systemd can pull via scm credentials or some dedicated kernel facility if more is needed and get over the "dbus steals my knowledge" issue. Steve, what would it take for auditd to trust systemd's information? Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
