In F17 I'd like to see CONFIG_AUDIT_LOGINUID_IMMUTABLE turned on.
In the old days when an admin restarted a service they actually did the restart themselves. Thus the new daemon would be attributed to the loginuid of the admin. If this daemon was ssh, when a new user logged in we needed a method to 'switch' the loginuid so the audit trail was associated with this new user, not the admin who started sshd.
With the advent of systemd admins do not directly launch daemons and instead init launches it on their behalf. With this option set sshd will not need to 'switch' its loginuid, instead it will 'set' it for the first time. Even after a restart. This couldn't work under sysvinit or upstart, but since Fedora has removed almost all init scripts, noone can be using sysvinit or upstart any more!
With this enabled we will break people directly launching login utilities instead of going through init. However it will allow us to remove some permissions from applications (CAP_AUDIT_CONTROL) since setting the loginuid will no longer be a privileged operation and will greatly increase the reliability of audit logs to be able to attest to what user performed what operation.
-Eric
On Thu, 2012-02-09 at 14:32 -0500, Eric Paris wrote:
With this enabled we will break people directly launching login utilities instead of going through init. However it will allow us to remove some permissions from applications (CAP_AUDIT_CONTROL) since setting the loginuid will no longer be a privileged operation and will greatly increase the reliability of audit logs to be able to attest to what user performed what operation.
Launching by hand can be made to work by changing your pam config to switch pam_loginuid.so to be 'optional' instead of 'required.' It also means that the admin who started the service will be attributed to everything someone who logs in did.
but those are the knocks if you do weird stuff like launch your own sshd inside a chroot....
On Thursday, February 09, 2012 02:32:00 PM Eric Paris wrote:
With this enabled we will break people directly launching login utilities instead of going through init. However it will allow us to remove some permissions from applications (CAP_AUDIT_CONTROL) since setting the loginuid will no longer be a privileged operation and will greatly increase the reliability of audit logs to be able to attest to what user performed what operation.
Making the login uid immutable would be nice, but I don't get the part about removing privileges. Setting the login uid is a privileged operation. It always has to be that way.
-Steve
kernel@lists.fedoraproject.org
-
Eric Paris -
Steve Grubb