• Steve Grubb's avatar
    audit: CONFIG_CHANGE don't log internal bookkeeping as an event · 70b3eeed
    Steve Grubb authored
    Common Criteria calls out for any action that modifies the audit trail to
    be recorded. That usually is interpreted to mean insertion or removal of
    rules. It is not required to log modification of the inode information
    since the watch is still in effect. Additionally, if the rule is a never
    rule and the underlying file is one they do not want events for, they
    get an event for this bookkeeping update against their wishes.
    
    Since no device/inode info is logged at insertion and no device/inode
    information is logged on update, there is nothing meaningful being
    communicated to the admin by the CONFIG_CHANGE updated_rules event. One
    can assume that the rule was not "modified" because it is still watching
    the intended target. If the device or inode cannot be resolved, then
    audit_panic is called which is sufficient.
    
    The correct resolution is to drop logging config_update events since
    the watch is still in effect but just on another unknown inode.
    Signed-off-by: default avatarSteve Grubb <sgrubb@redhat.com>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    70b3eeed
audit_watch.c 14 KB