[PATCH 1/1] NAX LSM: Add initial support support
Simon.THOBY at viveris.fr
Thu Aug 12 14:47:08 UTC 2021
On 8/10/21 6:52 AM, J Freyensee wrote:
>> Have you considered writing to the audit log instead of the kernel messages directly?
>> (not saying that this is necessarily better, but is there a reasoning to prefer one or
>> the other here? Audit logs are often consumed by automated tools and it may be more pratical
>> for people to detect and treat violations if the messages were pushed to the audit log
>> - but conversely, that requires defining and maintaining a stable log format for consumers)
> It's a good idea to writing to the audit log, HOWEVER I'd want to know
> what all the rest of the LSMs are doing in a case like this. If all of
> them just write kernel messages, I'd want this module to also write just
> kernel messages for consistency sake for use with say, log harvesters
> for a SIEM/XDR system solution.
Right, after taking a quick look through the SafeSetID, YAMA and the future BRUTE
LSM, it looks like they all use pr_warn/pr_notice. Only the MACs seem to make use of
the audit log, so you can forget what I said about writing to the audit log, this
shouldn't be necessary, and is probably a bad idea for consistency, as Jay said.
> Just in general I like the thought of this LSM. I used to work for a
> security company in which their cloud "watched" situations where
> mmap()/mprotect() would use anonymous executable pages for possible
> "dodgy" behavior.
More information about the Linux-security-module-archive