[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: audit 0.6 release

--- Leigh Purdie <Leigh Purdie intersectalliance com>

> Usually, from a on-system filtering perspective, the
> auditor is
> interested in real user ID only. The other ID's are
> very useful in
> follow-up analysis though.

In C2 and CAPP evaluations I've worked on the
real userid was deemed too volitile to identify
the user who had logged in. Solaris and Irix
maintain a seperate "audit user id" that is set
at login and not changed, even by su.

> >     4. Do you mean the path name "/tmp/foo", or
> the
> >        inode 86753 on the root file system? What
> >        about symlinks, mount points, and/or pseudo
> >        filesystem redirections?
> This is where it gets nasty doesn't it. ;)


> Snare works this way (bouncing every single file
> open through to the
> audit daemon for resolution, when a user has
> requested file open
> auditing). Not optimal, which is why filtering
> in-kernel may be more
> appropriate - but even so, users have reported
> single-figure-percentage
> reductions in performance when file auditing +
> regexp filtering is used.

Here's food for thought. I'll owe a beer to the
first person who figures out the right answer to
this riddle:

On Irix you can improve compiler performance
by installing the audit module, but leaving it
turned off. How can this be?

Casey Schaufler
casey schaufler-ca com

Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]