[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: LSPP audit enablement: example audit records with subj/obj labels

On 10/20/05, Linda Knippers <linda knippers hp com> wrote:
> > At this point, the subj/obj label is simply appended onto the end of the
> > existing audit record for the associated subject or object.  Steve has
> > mentioned that this will get more complicated when a given subject acts
> > on multiple objects (though I haven't found a good way to test this
> > behavior yet).
> In most cases where there are multiple objects, wouldn't each have its
> own record (like the PATH record) so it would be clear which object the
> label is for?

That's my guess right now, Linda.  I'm looking forward to seeing what
happens once Amy & Tim's fs watch code and my code are merged so that I
can test it out and see what it looks like.  There's a distinct
possibility that it'll just work cleanly as you suggested.
> > If there are strong feelings one way or another, let's please
> > discuss them now.
> I used to think the information should be separate but I don't think
> so anymore.

Thanks, I'm happy that at least someone else likes it this way. :-D

I guess we have to remember that the ausearch et al. tools could be
augmented to sew together auxiliary records if they were separated.  But
doing it this way greatly simplifies that aspect of the work to be done.
If this is intuitive and effect for LSPP compliance, I would lean toward
doing it this way and maintaining a list of future work items that
perhaps includes separating these labels out as aux records at some
point later.


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]