[redhat-lspp] userdomain policy question ..
Casey Schaufler
casey at schaufler-ca.com
Tue Aug 8 16:26:33 UTC 2006
--- Klaus Weidner <klaus at atsec.com> wrote:
>
> > Klaus, would it be sufficient, for meeting LSPP
> requirement, to
> > audit write(2) of the fscreate file?
>
> I guess you could argue that it meets the
> requirement, but it's extremely
> ugly since it'll be hard to audit selectively. I
> don't think there's a
> sane way to set filesystem watches on all
> /proc/$PID/attr/fscreate files
> to get those specifically, and you don't want to be
> auditing all open(2)
> calls.
>
> It would be much cleaner to have audit records
> specifically for the
> attr/* operations. I think they'll be fairly
> uncommon in general use, so
> I think it would be ok to always audit them without
> having specific
> auditctl filters.
On Irix (which uses xattrs extensively)
changes to the xattrs are explictly audited
under the same circumstances that would
warrent changes to traditional attributes.
Any change to an xattr in the security space
(ACL, Capability set, MAC label) is audited
if changes to traditional security attributes
(owner, group, mode) are audited. This was
absolutely required to get our evaluations.
Casey Schaufler
casey at schaufler-ca.com
More information about the redhat-lspp
mailing list