Neal Gompa wrote: > > On Wed, Jan 5, 2022 at 9:43 AM Sérgio Basto <sergio(a)serjux.com&gt; wrote: > > ... > > > > a big BTW when /etc/init.d/network will be removed or migrate to > > systemd scripts ? > > > > rpm -qf /etc/init.d/network --qf "packge = %{sourcerpm}\nsub-package = > > %{name}\n" > > > > packge = initscripts-10.09-1.fc34.src.rpm > > sub-package = network-scripts > It's deprecated and expected to be retired eventually. I doubt a > "port" would ever happen. initscripts is needed by audit: https://bugzilla.redhat.com/2029105

On Wed, Jan 05, 2022 at 11:37:48AM -0800, Adam Williamson wrote: > On Wed, 2022-01-05 at 20:19 +0100, Xose Vazquez Perez wrote: > > Neal Gompa wrote: > > > > On Wed, Jan 5, 2022 at 9:43 AM Sérgio Basto > > > > <sergio(a)serjux.com&gt; wrote: ... > > > > > > > > a big BTW when /etc/init.d/network will be removed or migrate to > > > > systemd scripts ? > > > > > > > > rpm -qf /etc/init.d/network --qf "packge = > > > > %{sourcerpm}\nsub-package = > > > > %{name}\n" > > > > > > > > packge = initscripts-10.09-1.fc34.src.rpm > > > > sub-package = network-scripts > > > > > > It's deprecated and expected to be retired eventually. I doubt a > > > "port" would ever happen. > > > > initscripts is needed by audit: https://bugzilla.redhat.com/2029105 This is really sad. Somebody who understands audit should just propose a solution. We shouldn't have an archaic technology kept in Fedora for 10 years because of one package.

I know that you said that the scripts are needed because of "magic stuff™" that the scripts do, but sorry, that's not a justification: *everything* that can be done using a shell script can also be reimplemented independently. Right now audit pulls in the whole initscripts stack, this should all be replaced by some small helper. (Maybe a separate binary, or a small shell script, or maybe something in auditctl…. I don't know because I don't know audit.)

On Thu, Jan 06, 2022 at 08:48:52AM -0800, Adam Williamson wrote: > On Thu, 2022-01-06 at 16:16 +0000, Zbigniew Jędrzejewski-Szmek wrote: > > > > I know that you said that the scripts are needed because of "magic stuff™" > > that the scripts do, but sorry, that's not a justification: *everything* that > > can be done using a shell script can also be reimplemented independently. > > Right now audit pulls in the whole initscripts stack, this should all be replaced > > by some small helper. (Maybe a separate binary, or a small shell script, or > > maybe something in auditctl…. I don't know because I don't know audit.) > > As I understand the bug, it's not a question of whether the thing can > be done, but whether it can be known *who did it*. There is no magic functionality in the kernel that specifically records that something was executed by some specific script. If that scripts sends a signal somewhere, you can send the same signal with the same sender info and the same privileges using bash/python/C/Rust or even assembly. So the "who did it" information can be provided in a different way without pulling in the initscripts stack, or it is bogus, or maybe even both.

On Thu, Jan 06, 2022 at 01:17:01PM -0500, Simo Sorce wrote: > On Thu, 2022-01-06 at 18:02 +0000, Zbigniew Jędrzejewski-Szmek wrote: > > On Thu, Jan 06, 2022 at 08:48:52AM -0800, Adam Williamson wrote: > > > On Thu, 2022-01-06 at 16:16 +0000, Zbigniew Jędrzejewski-Szmek wrote: > > > > > > > > I know that you said that the scripts are needed because of "magic stuff™" > > > > that the scripts do, but sorry, that's not a justification: *everything* that > > > > can be done using a shell script can also be reimplemented independently. > > > > Right now audit pulls in the whole initscripts stack, this should all be replaced > > > > by some small helper. (Maybe a separate binary, or a small shell script, or > > > > maybe something in auditctl…. I don't know because I don't know audit.) > > > > > > As I understand the bug, it's not a question of whether the thing can > > > be done, but whether it can be known *who did it*. > > > > There is no magic functionality in the kernel that specifically records that > > something was executed by some specific script. If that scripts sends a signal > > somewhere, you can send the same signal with the same sender info and the same privileges > > using bash/python/C/Rust or even assembly. So the "who did it" information > > can be provided in a different way without pulling in the initscripts stack, > > or it is bogus, or maybe even both. > > In this case the "who" is the user, not the script. Yes, obviously the user is outside of the machine and "user" always means some program running under the UID assigned to the user. All I'm trying to say is that if you can make one implementation of this program (e.g. a set of bash scripts) send some bit of information, you can make another implementation send the same signal. > The problem of going through systemctl is that the "who" is lost > because all the audit system can see is that systemd started the > action. Basically the communication between systemctl and systemd masks > the identity of the user that initiated the action. Yes, systemctl doesn't save this information. So audit uses some alternative command to send this information somewhere. This alternative command should just send this bit of information where appropriate and then call systemctl. More-or-less as things are now, but without the initscripts baggage.

> I believe a solution needs to be found between systemd and the audit > subsystem in general so that we remove this whole class of issues > altogether. If there's a need to add something to systemctl or systemd, we can do it. But it's never been clearly articulated afaik.

Hello, On Thursday, January 6, 2022 1:02:36 PM EST Zbigniew Jędrzejewski-Szmek wrote: > On Thu, Jan 06, 2022 at 08:48:52AM -0800, Adam Williamson wrote: > > On Thu, 2022-01-06 at 16:16 +0000, Zbigniew Jędrzejewski-Szmek wrote: > > > I know that you said that the scripts are needed because of "magic > > > stuff™" that the scripts do, but sorry, that's not a justification: It is the justification. The audit system has regulatory requirements imposed on it. This is required by common criteria and subsequently depended on for PCI-DSS, CIS, DISA STIG, NIST risk management framework, and many other security or regulatory schemes. > > > *everything* that can be done using a shell script can also be > > > reimplemented independently. Right now audit pulls in the whole > > > initscripts stack, this should all be replaced by some small helper. I moved it to initscripts-service in rawhide. > > > (Maybe a separate binary, or a small shell script, or maybe something > > > in auditctl…. I don't know because I don't know audit.)> It would be better if there was a systemctl solution. Any solution I implement will be met with you need to migrate to systemctl. There have been multiple bz opened and closed on this. > > As I understand the bug, it's not a question of whether the thing can > > be done, but whether it can be known *who did it*. Exactly. And "who" means login uid, pid, and their security label. You can only get this if the signal is sent from the user's context. > There is no magic functionality in the kernel that specifically records > that something was executed by some specific script. There actually is magic in the kernel that records who sent a signal to the audit daemon and the necessary atributes. This functionality has been there since at least 2005. It's not new.

> > There actually is magic in the kernel that records who sent a signal to > > the audit daemon and the necessary atributes. This functionality has > > been there since at least 2005. It's not new. > > Right, so is /usr/bin/stop-audit with the following contents the > solution: > --------------- > #!/bin/sh > set -e > exec kill $(systemctl show -P MainPID auditd) > --------------- > ?

I do not believe this is currently usable for audit because the information on who requested to kill the process is lost this way. In terms of audit you can audit that user XYZ ran /usr/bin/stop-audit, however the process that actually then kills the audit daemon will not have the magic markers in the kernel side and will instead be the systemd process.

This breaks the audit log chain, as there is no way to audit that systemd is operating on behalf of that user. The audit trail chain is broken by the systemcl -> systemd jump.

This is the problem that need to be solved to get rid of audit's use of shell scripts that directly perform operations wrt the kernel.

I wonder if another option is to have the audit code in the kernel intercept systemcl messages sent to systemd and interpret the commands and log what they are asking ...

Since auditd is started by systemd, you just _have_ to trust systemd. If control over the manager is lost, the manager can just do anything it wants, masquerading as any user. So the logging provided by recording of the direct signal is only a "good will" effort, fairly easy to spoof if you've actually gained some inappropriate privileges. The logging that systemd does is effectively just as trustworthy as the audit log as long as the system integrity is maintained.

> It would be better if there was a systemctl solution. Any solution I > implement will be met with you need to migrate to systemctl. There have > been multiple bz opened and closed on this. What would you need in order to be able to migrate to systemctl?

Could the dbus daemon or systemd generate the necessary audit records?

Or could auditctl handle everything itself, perhaps by talking to auditd over a socket instead of sending a signal?

I'd say we want to get rid of both;)

On 1/5/22 17:43, Michael Cronenworth wrote: > On 1/5/22 2:17 PM, Zbigniew Jędrzejewski-Szmek wrote: >> I'd say we want to get rid of both;) > > There are use-cases that NetworkManager just doesn't support that network-scripts > does. If network-scripts is orphaned I'll probably pick it up. Which use-cases are these? Does systemd-networkd address them?

I already cited one upthread - openvswitch integration. And possibly ifup-pre , I haven't found a NetworkManager equivalent to that mechanism yet, but I might be missing it.

I am, however, curious what functionality exists in network-scripts that doesn't in NetworkManager, since most of the newer networking features were only implemented in ifcfg-rh on NetworkManager.

ifcfg scripts don't run an RA server. You can set signaling radvd, which can also be done with NM dispatcher scripts (which would be much more flexible, since it wouldn't be hard-coded to just radvd like the ifcfg scripts).

On 1/6/22 7:53 AM, Chris Adams wrote: > ifcfg scripts don't run an RA server.  You can set signaling radvd, > which can also be done with NM dispatcher scripts (which would be > much > more flexible, since it wouldn't be hard-coded to just radvd like > the > ifcfg scripts). Do you use this in real-life? How do you get the PD address into the radvd config using NM dispatcher?

Would the RA support in systemd-networkd work for your case? I don't know much more about than that various improvements have been done recently with renewing and propagating of the ipv6 routing info, and would be very interested if it's enough to serve your usecase. https://www.freedesktop.org/software/systemd/man/systemd.network.html#IPv... https://www.freedesktop.org/software/systemd/man/systemd.network.html#IPv... https://www.freedesktop.org/software/systemd/man/systemd.network.html#%5B... https://www.freedesktop.org/software/systemd/man/systemd.network.html#Exa...