Handling disk full & No Kernel resources

Casey Schaufler casey at schaufler-ca.com
Thu Jan 6 16:14:47 UTC 2005


--- Klaus Weidner <klaus at atsec.com> wrote:

> It's a bit more complex than this - CAPP requires
> that any actions on
> behalf of a user happen only after authentication,
> which is done
> centrally through PAM on Linux systems.

All users must be authenticated, and all their
security relevent actions must be audited.

> Putting the
> audit hooks in PAM
> ensures that any user actions can be audited
> properly after
> authentication.

Only so far as the authentication is valid.

> If there has been no authentication, the actions
> must not be considered
> to be on behalf of a specific user.

No action can be performed on behalf of a user
that has not been authenticated.

> Note that
> running as a non-root UID
> doesn't automatically mean that it corresponds to a
> human user.

Ho boy. This can legitimately be true if it's an
administrative UID that no human ever uses. This
does not mean that an action on a server doesn't
have to be authenticated just because you don't
know that there's a human on the other end.

> But it's
> obviously unacceptable to run anything with the
> rights of a human user
> based on data received from the network if the
> authentication steps were
> not done. This rules out passwordless rsh and
> similar abominations.

Almost. The Irix B1, CAPP, and LSPP evaluations
allowed passwordless rsh in the case of a common
administrative domain. If the client and the server
are administered together and the audit trail is
combined, you have everything you need.

> The same type of problem appears for cron and at,
> these services must
> ensure that the commands get run with the
> credentials of the user who
> submitted them.

Hee Hee Hee. I did audit for cron years ago. They
tell me I've recovered, but the twitches come back
sometimes.


=====
Casey Schaufler
casey at schaufler-ca.com


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - 250MB free storage. Do more. Manage less. 
http://info.mail.yahoo.com/mail_250




More information about the Linux-audit mailing list