[PATCH] cleanups + fixes against audit.56

Casey Schaufler casey at schaufler-ca.com
Wed Jun 15 21:28:16 UTC 2005



--- Steve Grubb <sgrubb at redhat.com> wrote:

 
> That doesn't matter. If the intent was to report on
> the file, and the 
> directory's mode is reported its wrong.

The right thing to do is report the pathname
and attributes of the component upon which the
access control decision failed or ultimatly
succeeded. Thus, for

    /a/b/c

if the access was successful the audit record
ought to always contain the path "/a/b/c" and
the attributes of "c". If the access control
failed on "b", the record needs to include
"/a/b" and the attributes of "b" as well as an
indication that what you were ultimatly after
was "/a/b/c/", even though you never got there.
If the access failed on "c" the record needs
the path "/a/b/c" and the attributes of "c",
just as in the success case.

This can get hairy. On exec(), for example,
the audit record may include the path of a
directory, not a program file. You have to be
ready for this in postprocessing.

You never want the attributes of the directory
on a successful access, this does not make
sense and certainly fails the CAPP requirement.
You only want the attributes of the directory
if that is the object upon which access was
denied.



Casey Schaufler
casey at schaufler-ca.com


		
__________________________________ 
Discover Yahoo! 
Get on-the-go sports scores, stock quotes, news and more. Check it out! 
http://discover.yahoo.com/mobile.html




More information about the Linux-audit mailing list