From owner-freebsd-hackers Sat Mar 16 6:23:48 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7981737B400; Sat, 16 Mar 2002 06:23:44 -0800 (PST) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.6) with SMTP id g2GENTF29410; Sat, 16 Mar 2002 09:23:37 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sat, 16 Mar 2002 09:23:28 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jeff Jirsa Cc: freebsd-hackers@freebsd.org, arr@freebsd.org Subject: Re: logging securelevel violations In-Reply-To: <002001c1c936$c25ff4d0$5e3bad86@boredom> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 11 Mar 2002, Jeff Jirsa wrote: > I've noticed that currently, violations of securelevel are aborted, but not > typically logged. It seems like in addition to aborting whichever calls are > in progress, logging an error might be beneficial. I recognize that this > goes along the same lines as logging file permission errors, but if a file > is marked immutable, the implicit value of the file should suggest that one > might want to be able to audit attempted changes to that file. <...> > Would the following not work? <...> > log(LOG_ERR, "Unable to load module %s: securelevel violation \n", <...> > So, my questions are: Why shouldn't it be done? What simple problems am I > overlooking? (Would such a contribution have a chance of making it into > 5.0?) It would work, certainly, but I guess the question is whether it's useful and/or desirable. The first concern I'd have is that the message is inaccurate: it's not a violation, it's a denial of a request. The security policy hasn't been violated, it's actually been enforced. Second, my concern would be whether this is useful. First off, securelevels are an inconsistent policy, and easy to work around as an attacker without ever generating any of these warnings. Second, these warnings would be generated during normal operations, as a number of applications attempt to load kernel modules when they need them, including ppp. Generating spurious warnings as part of normal system activity isn't necessarily a useful activity, and tends to result in more calls for help on questions@. What would be far more desirable is a general framework for auditing, something that Andrew Reiter has been working on (CC'd). I'm not sure what his current status is, but presumably reporting securelevel check failures would fit well into the framework. Depending on his progress, it may be that any contributions that you could make towards bring the framework to fruition would be much appreciated :-), be it requirements information, other suggestions, or code :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message