LSPP audit enablement: example audit records with subj/obj labels
Dustin Kirkland
dustin.kirkland at us.ibm.com
Fri Oct 21 14:50:58 UTC 2005
On 10/20/05, Linda Knippers <linda.knippers at hp.com> wrote:
> > At this point, the subj/obj label is simply appended onto the end of the
> > existing audit record for the associated subject or object. Steve has
> > mentioned that this will get more complicated when a given subject acts
> > on multiple objects (though I haven't found a good way to test this
> > behavior yet).
>
> In most cases where there are multiple objects, wouldn't each have its
> own record (like the PATH record) so it would be clear which object the
> label is for?
That's my guess right now, Linda. I'm looking forward to seeing what
happens once Amy & Tim's fs watch code and my code are merged so that I
can test it out and see what it looks like. There's a distinct
possibility that it'll just work cleanly as you suggested.
> > If there are strong feelings one way or another, let's please
> > discuss them now.
>
> I used to think the information should be separate but I don't think
> so anymore.
Thanks, I'm happy that at least someone else likes it this way. :-D
I guess we have to remember that the ausearch et al. tools could be
augmented to sew together auxiliary records if they were separated. But
doing it this way greatly simplifies that aspect of the work to be done.
If this is intuitive and effect for LSPP compliance, I would lean toward
doing it this way and maintaining a list of future work items that
perhaps includes separating these labels out as aux records at some
point later.
:-Dustin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20051021/7ddf2308/attachment.sig>
More information about the Linux-audit
mailing list