[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit 0.6 release

--- Leigh Purdie <Leigh Purdie intersectalliance com>

> Tagging an inode with an audit flag is a good
> starting point to gain a
> capability,

One thing I've noticed is that no one has ever
asked to audit by inode number. Both Sun and SGI
rejected the notion of tagging a file for audit
not because it was hard (it isn't) but because
"copy, edit, replace" is the norm and the tags
get lost too easily.

> but I think we need to find a more
> comprehensive solution to
> provide an effective auditing subsystem that meets
> the 'filtering'
> requirements of many organisations.. 

The SGI audit records include
     - Current Root
     - Current directory
     - The path requested
     - The path resolved
     - The device and inode
     - All file attributes, including extended ones.

If /tmp/wombat is a symlink to /etc/passwd an open
record would include:

     - /
     - /home/btcat
     - /tmp/wombat
     - //tmp/>wombat//etc//passwd
     - major,minor,86753
     - stat info, ACL, MAC_LABEL, ...

allowing filtering on "passwd", which the syscall
never saw.

> Also, w.r.t the success flag, we've encountered
> situations where a user
> wants to filter on both:
> * A broad success/failure, and
> * specific return/error codes

It is most important to distinguish access control
decisions from user errors.

Casey Schaufler
casey schaufler-ca com

Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]