[Apparmor-general] problem with profiling sshd under OpenSuSE 10.2
John Johansen
jjohansen at suse.de
Tue Feb 6 09:03:58 MST 2007
On Tue, Feb 06, 2007 at 12:26:09PM +0100, ps wrote:
> Hello Seth
> Today early morning I checked your advice.
> When I add capability: CAP_AUDIT_CONTROL and restarted apparmor
> everything seemed ok. Adding CAP_AUDIT_WRITE didn't work.
> I could log in via ssh and there wasn't any log trails in
> /var/log/audid/audit.log
> Adding CAP_AUDIT_CONTROL helped but I wonder if adding this capability
> is not security violation.
> I checked what is written in man capabilities but there is no specific
> information about security consideration when using this capability.
> In system manual there is only information like this:
> "Enable and disable kernel auditing; change auditing filter rules;
> retrieve auditing status and filtering rules."
> So, using this capability in AppArmor profile for sshd do what? enable
> or disable kernel auditing. Judging from absence of log trails in
> audid.log I think that adding this capability simply switched off
> capability checking. Maybe I'm wrong?
>
It allows for control of the kernel audit facilites, so an application
with these capabilities can manipulate the audit subsystem. This
may affect apparmors reporting (which go through the audit subsystem) but
not its enforcement. Adding these capabilities to a profile means that
unless the profile is in audit mode it won't generate any log messages.
With the newest version of the AA module (svn head, and 10.3 alpha
once a new kernel is rolled) even in audit mode for each task the
capability messages will only show up once per task, to reduce the
volume of messages sent to the log.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070206/347e229f/attachment.pgp
More information about the Apparmor-general
mailing list