Additional file context enhancements to include ownership and mode #226
Replies: 2 comments 2 replies
-
What are the compelling reasons to consider file ownership and mode? Fapolicyd is really only supposed to answer the question of if this software is known or not. There are other tools like aide and audit that can spot and alert changes to ownership and mode. The trust db only allows 512 bytes per entry. We have to be very careful about what goes in there due to the inflexible size constraint. If the reason was compelling enough to make a change, then we'd need to make a new version number, migrate the contents, and make the max file name length even smaller. |
Beta Was this translation helpful? Give feedback.
-
There is a PATH record as part of the event. It's already recorded. So, what else should be added? |
Beta Was this translation helpful? Give feedback.
-
On RHEL-based systems,
rpm -Va
can quickly tell the difference between file system objects in the rpm database and objects on the file system to include size and hash mismatches, as well as 6 other differences.Currently fapolicyd and the toolkit are chiefly concerned about the contents of a file, as measured by file size and hash metrics.
There are compelling reasons to consider file ownership (user and group) and file mode in addition to file content metrics. These checks are very cheap relative to the file hash given that they are in the trusted rpm database and in
stat(2)
.It wouldn’t be a heavy lift to show ownership and mode discrepancies in this toolkit, but without any support and enforcement in fapolicyd proper, they will only serve as informational only at this point (which could frustrate users).
Beta Was this translation helpful? Give feedback.
All reactions