Re: Logging Denials

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/29/2018 07:00 PM, Sean Hogan wrote:
> Hi Zdenek,
> 
> Thanks for the reply. Yes sir.. so anytime a user tries to access any of
> the 3 files we would want something unique to key in on in the logs to
> identify them. We would then push those logs to a SIEM to auto generate
> offenses which auto generates call outs.
> 
> I guess I was making it more complicated than needed by going the SE
> route. I will give the audit rule mod a shot to see how it turns out and
> let you know.
> 
> 

Hi,

I'm not suer if I understand your question, but auditallow is what
you're looking for:
https://selinuxproject.org/page/AVCRules

(search for auditallow rule type)

Thanks,
Lukas.

> Thanks
> 
> Sean Hogan
> 
> 
> Inactive hide details for Zdenek Pytela ---06/29/2018 04:51:41 AM---On
> Wed, Jun 27, 2018 at 11:00 PM, Sean Hogan <schogan@us.ibZdenek Pytela
> ---06/29/2018 04:51:41 AM---On Wed, Jun 27, 2018 at 11:00 PM, Sean Hogan
> <schogan@xxxxxxxxxx> wrote: > Hello,
> 
> From: Zdenek Pytela <zpytela@xxxxxxxxxx>
> To: Sean Hogan <schogan@xxxxxxxxxx>
> Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Date: 06/29/2018 04:51 AM
> Subject: Re: Logging Denials
> ------------------------------------------------------------------------
> 
> 
> 
> 
> 
> On Wed, Jun 27, 2018 at 11:00 PM, Sean Hogan <_schogan@xxxxxx.com_
> <mailto:schogan@xxxxxxxxxx>> wrote:
> 
>     Hello,
> 
>     I am not sure this use case has come up before but some our systems
>     are set permissive. I have 3 files I want to have shared with 644 on
>     purpose. The goal is for selinux to allow users(permissive) to read
>     the file but I need a context that will still report an AVC to
>     audit.log as that will be forwarded to a SIEM where rules will be in
>     place to contact security. I have tried auditd_etc_t, var_log_t but
>     nothing ever shows up in audit.log when watching a user cat/vi the
>     files.
> 
>     In this situation I actually want to see denials lol but not 100% I
>     am seeing this right. Any help is appreciated.
> 
> 
>     -rw-r--r--. root root unconfined_u:object_r:auditd_etc_t:s0 fil1.pgp
>     -rw-r--r--. root root unconfined_u:object_r:auditd_etc_t:s0 file2.docx
>     -rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 file3.docx
> 
> 
> Hello,
> 
> Do you mean access from a user console/shell? SELinux only pays
> attention to labels, so it would not be easy to achieve this goal. Can
> you describe the use case? Maybe you just need to use audit watch rules:
> 
>   # auditctl -w /path/file1 -p r -k secure-access
> 
> which will subsequently audit each read access as
> 
> type=SYSCALL msg=audit(1530272932.863:1867): arch=c000003e syscall=2
> success=yes exit=3 a0=7ffcfb5e6706 a1=0 a2=1fffffffffff0000
> a3=7ffcfb5e5730 items=1 ppid=10516 pid=11699 auid=0 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=224 comm="cat"
> exe="/usr/bin/cat"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key="secure-access"
> type=CWD msg=audit(1530272932.863:1867):  cwd="/cwd"
> type=PATH msg=audit(1530272932.863:1867): item=0 name="/path/file1"
> inode=6508 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=unconfined_u:object_r:default_t:s0 objtype=NORMAL
> cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> type=PROCTITLE msg=audit(1530272932.863:1867):
> proctitle=636174002F706174682F66696C6531
> 
> -- 
> 
> Zdenek Pytela, Senior technical support engineer and team lead
> Customer Engagement and Experience, Red Hat Czech
> E-mail: _zpytela@redhat.com_ <mailto:zpytela@xxxxxxxxxx>, IRC:
> zpytela_______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/YBFNEXSCEJP4A26K3YLRHITINR5IIZXL/
> 
> 
> 
> 
> 
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/YDKIRKJBNVUCM7FNU2O6IQTIV55RVVDZ/
> 


-- 
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/ZSQEZJ72YJILDXJJAXOVY2CMXQDT3Q5B/

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux