[RFC][PATCH 0/3] CAPP-compliant file system auditing

[Timothy R. Chavez]

Hello,

.:: Introduction ::.

In its present state, the Linux audit subsystem cannot be used in a Common 
Criteria (ISO/IEC 15408)[1] CAPP/EAL4+[2] evaluation.  This patch addresses a 
blocking deficiency in the current implementation regarding the inability to 
audit file system objects by "name".   Currently, one is limited to using a 
(inode,device) filter rule to audit syscall access to the object.  This is 
insufficient for CAPP because (1) the object is not being audited by "name" 
nor (2) will it remain auditable if the underlying inode changes.  What 
follows from this requirement is the ability to better observe the _behavior_ 
of the "named" object, rather then just access to the "named" object.

Here is a relevant example show casing the deficiency:

The administrator audits "/etc/shadow".  To do so, she adds the filter rule 
using /etc/shadow's current inode and device.  Then, she runs 'passwd' to 
change her password.  She consults the audit log and sees that some records 
have been generated, but when she runs 'passwd' again, she notices that no 
longer are audit records being generated.  She does an 'ls -i /etc/shadow' 
and notices that the inode has changed.  She then decides to consult the 
audit log and comes to the realization that what's there is incomplete and 
does not tell the complete story of /etc/shadow during the execuation of 
'passwd'.

The patch is broken into two parts.

Part 1: The actual implementation of the file system auditing piece
Part 2: The hooks

+ + + +

[1] Common Criteria is an internationally recognized ISO centered around IT 
security evaluations (http://csrc.nist.gov/cc/)
[2] CAPP/EAL4 (Controlled Access Protection Profile)/Evaluation Assurance 
Level 4+ is for generalized environments with a moderate level of risk to the 
assets.  For more information about CAPP requirements: 
http://www.commoncriteriaportal.org/public/files/ppfiles/capp.pdf)

-tim