fapolicyd icon indicating copy to clipboard operation
fapolicyd copied to clipboard

Published 20 hours ago verified publisher icon linux-application-whitelisting

update {allow,deny}_log decisions to have configurable targets

Open sopos opened this issue 4 years ago • 5 comments

Would it make sense not to define the decision log target in the rules themselves but use a common decision deny_log and maybe even allow_log and using a general configuration to specify where to send the logs, like audit, syslog, and possibly other options?

See more detailed description in the comment below (https://github.com/linux-application-whitelisting/fapolicyd/issues/108#issuecomment-1016377543).

sopos avatar Jan 12 '21 11:01 sopos

It would be also good if the logging could happen to every configured destination at the same time. I.e. deny_log would emit audit message, syslog message and debug message if configured.

sopos avatar Jan 13 '21 09:01 sopos

Support is already in place to send audit events to different destinations on a rule by rule basis. At this point, I don't think we can alter that. And I wonder if it would be confusing to the end user if they can both specify and override. Which one wins?

stevegrubb avatar Jan 13 '21 15:01 stevegrubb

I'm not sure what do you mean by override. There would not be any concurent settings / rules. Rule would say send an audit message and configuration would define where to send it actually. The think why I started to think about it is that the daemon does not send the audit messages if it runs in debug mode. I would expect it to be sent to all 'subscribers', i.e. audit and console at the same time.

sopos avatar Jan 13 '21 15:01 sopos

Well, if the rule says audit and the config says syslog, then you've overridden the rule.

Debug mode was envisioned for testing rather than for recording. There are times when you want to test something but not mess up the audit log. So, this mode is for doing things like that. You can always save the debug output with tee or tail syslog or the audit logs.

stevegrubb avatar Jan 14 '21 22:01 stevegrubb

Let me revise this idea again and explain it a bit better, hopefully.

I have basically two reasons for this feature:

  1. no need to change the default rules just to change the log target
  2. receive the log events at multiple places at the same time, e.g. debug and audit

Solution:

  1. Introduce a new configuration option log_target as a multi-value option with default value audit. Could be used for e.g. log_target=audit,syslog to match the current logic.
  2. Change the deny_log and allow_log behavior to match the log_target configuration.

The command line switches --debug and --debug-deny would effectively add debug to the target list.

The default rules would be changed from deny_audit to deny_log for fluent transition.

Now, the usefulness becomes more imminent with the rules split into the rules.d directory. While we want to detect the unchanged default rule we should allow a user to configure different log target differently than changing rules.

sopos avatar Jan 19 '22 11:01 sopos