[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Another dumb question...

On Mon, 5 Apr 2004 22:51, Stephen Smalley <sds epoch ncsc mil> wrote:
> identity using that audit framework rather than SELinux.  Also, the
> existing SELinux auditing of permission checks could be configured to
> audit all transitions to and from the su domains, such that the SELinux
> user identity transitions would be logged as they occur, e.g. adding
> something like 'auditallow $1_t $1_su_t:process transition; auditallow
> $1_su_t userdomain:process transition;' to
> policy/macros/program/su_macros.te (caveat:  untested).

The problem with this is that you need to analyse a lot of log data to get the 

Someone could run su days or weeks before performing an action that is 

The audit framework can be used instead, it's just another thing that we have 
to learn and support in our log file analysis programs.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]