Hi Mike,
Matt is away this week so he'll probably have a more detailed response
but in the meantime, I have a few comments/questions.
I'm wondering if the intent of the cups userspace tools are to be
trusted programs? Specifically I'm curious about cupsaccept, cupsreject,
cupsenable and cupsdisable. The reason I ask is because if they are
supposed to be trusted programs, they don't generate unique audit
messages like other programs.
I don't think these programs are trusted programs because all they do
is talk to the cupsd, which is a trusted program. The cupsd makes
all the decisions and takes all the actions. These programs (really
just 'accept' as the rest I believe are symlinks to it) are not setuid
and do not make any access or other decisions, at least that's my
understanding.
Personally, I think these tools should generate messages since they are
a source for leaking information, and therefore should be restricted to
administrators.
I think the real question is which actions should be audited. Should
enabling/disabling a printer queue be audited? I don't believe its
required to be and if its not security relevant, do we want it in the
audit logs? Cups has a comprehensive logging facility so there is all
kinds of information about happening with the print subsystem that I
don't think we want to replicate in the audit logs, but perhaps there
are more actions that would make sense to audit than we currently are
auditing.