[redhat-lspp] SE Linux audit events
Stephen Smalley
sds at tycho.nsa.gov
Tue Nov 8 16:51:44 UTC 2005
On Tue, 2005-11-08 at 11:18 -0500, Steve Grubb wrote:
> Just to make sure these events get recorded no matter what the policy says. I
> think the auditallow rules can stay in the policy if there's some real reason
> to keep them. But you are already using the audit system to record avc
> messages, why would you object to continuing using the audit system but have
> the config change events formalized? Seems like its no harm done to SE Linux
> and helps make these type of things stand out better in log analysis.
It produces duplication of mechanism between the two subsystems, and as
you said above, makes the auditallow mechanism obsolete for those
events. "No harm done" is the wrong criteria for any proposed change;
the questions should be more along the lines of "Does it meet a
requirement? Does it provide added value? Can it already be achieved
using existing mechanism?"
The other point to keep in mind here is that each kernel change takes
time to upstream, and the window for upstreaming is short for each
release. So avoiding unnecessary kernel changes is especially
desirable.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list