[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext



On Monday 26 September 2005 14:00, Steve Grubb wrote:

> On Thursday 21 July 2005 11:48, Dustin Kirkland wrote:

> > The attached patch contains functionality specified by the labeled

> > security protection profile--basically appending object context and

> > subject context labels to audit records.

>

> Lets use the following audit message number ranges for the next round of

> development:

>

> 1500 - 1599 kernel LSPP events

> 1600 - 1699 user space generated LSPP events

> 1700 - 1799 kernel crypto events

> 1800 - 1899 user space crypto events

> 1900 - 1999 future use (maybe integrity labels and related events)

Maybe I missed it... What's the 2000 - 2099 block reserved for again? I see

AUDIT_KERNEL at 2000, but I'm looking at an audit git tree that's not been

updated for over a month.

> 2100 - 2199 user space anomaly records

> 2200 - 2299 user space actions taken in response to anomalies

>

>

> I'd also like to suggest that this patch collect 2 kinds of contexts, subject

> and object. Subject being the context associated with the caller, object

> being whatever system object that is being accessed. There can be more than

> one object in the syscall. I'm undecided about whether they should be all in

> 1 record or each a separate record in the same event.

In terms of parsing, I'd imagine it'd be easiest if a subrecord had a static format

(and in the case of a binary record, a fixed size) and could not grow arbitrarily

large. I vote to make them seperate subrecords which are then correlated using

a common token=value. In this case, something like: event=<this_event>??

> This would mean taking

> 1500 as subject label and 1501 as object label.

>

> -Steve

>

-tim


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]