/etc/security/audit_warn -- where to log to by default?

Tom Rhodes trhodes at FreeBSD.org
Wed Jan 26 16:41:54 GMT 2005 

On Wed, 26 Jan 2005 12:10:15 +0000 (GMT)
Robert Watson <rwatson at FreeBSD.org> wrote:

> 
> On Wed, 26 Jan 2005, fergus wrote:
> 
> > On 25.01-09:34, Ilmar S. Habibulin wrote:
> > [ ... ]
> > >                     What can we do with syslogd? Give it permission to
> > > change its' own label. Set the label of /var/run/log to "*/equal". So
> > > everybody can write to the log. Now syslog reads data and decides which
> > > log it must be stored to. Then it changes own label to be equal to the
> > > appropriate log and writes to it.
> > 
> > this would be very insecure.  the privilage your talking about (arbitary
> > label switching) would basically give the box away. 
> 
> So here-in lies the dilema, and the answer would seem to lie somewhere
> along a spectrum of possibilities, and based on requirements.
> 
> The "problem" is that in the current UNIX world order, any application
> running with any credential can submit a log message, in most systems
> using a single datagram UNIX domain socket.  Likewise, that we have a
> unified set of system logs combining log messages from all applications. 
> We can break these invariants, or we can try and maintain them.  If we
> break the unified logging model, we still have to come up with a coherent
> notion of how to handle applications from different security domains
> submitting, so while that may eliminate some of the issues, we still have
> to address the rest.
> 
> I think so far we've identified a few possible approaches of interest that
> address various parts of the problem.
> 
> - In a world with only an MLS policy, there isn't really a problem,
>   because write up is permitted, and you can run the system log daemon at
>   system high.  However, many trusted systems will make use of at least
>   one additional policy type, an integrity policy, in order to protect the
>   TCB. 

[SNIP]: Good ideas.

On a somewhat more insane level, how about this:

The syslog daemon utilizes a config file, /etc/mac.conf, to know
how the labeling on the machine is set and works differently
according:

MLS only, run system high
Biba only, run system low add extra protection where required,
Mixed environment, spawn two process, one for MLS and one for Biba.

and continue.

My only question is:  "Is this idea feasable, suitable or
just downright crazy?"  I haven't really looked at all the details,
this was just an out of nowhere reply with a quickly formulated
theory not tested nor proven even fully hashed out.  Comments?

-- 
Tom Rhodes
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list