[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit.56 merged with audit-2.6.git

On Thu, Jun 09, 2005 at 09:54:39AM -0400, Steve Grubb wrote:
> No audit records are generated when I made the file world readable. I suppose 
> you could hook the right syscalls, but that would provide way too much info. 
> The reason I ask is Table 1 of CAPP,  FMT_MSA.3 says that we should be able 
> to audit all modifications to the initial value of security attributes & 
> modifications to permissive or restrictive rules. Maybe I misunderstand the 
> application of this requirement, but that seems like file permissions.

CAPP also requires auditability of "all modifications to the values of
security attributes" (5.4.1 FMT_MSA.1) which includes chmod/chown etc.
FMT_MSA.3 is more concerned with default properties such as the umask

The auditable events table in CAPP doesn't list "the identity of the
object" explicitly for that event class, so taken literally you could
argue that the syscall audit capability with (device inode) pairs and
call arguments would cover this requirement. I'd consider that to be
against the spirit of CAPP; the point of audit should be to have a record
of security relevant changes which should include chmod/chown and similar


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]