[redhat-lspp] Re: CUPS audit record
Matt Anderson
mra at hp.com
Thu Aug 31 15:05:53 UTC 2006
Steve Grubb wrote:
> On Wednesday 30 August 2006 17:30, Matt Anderson wrote:
>>I think CUPS is a case where acct would be preferable. The auid is
>>known, and will be recorded, but acct will correspond with the user
>>field that shows up on paper.
>
> What is the source of the user's name? From what I can see, you get the auid
> from credentials. So that is the best source of info. If you look it up in
> passwd database, ausearch can look it up, too. I really want the most
> authoritative information recorded.
The source of the username that is listed as acct is lpr. I can
appreciate that this makes it questionable data, but what you are
suggesting is worse in my opinion.
Its worth noting that the sauid is being captured which is the most
authoritative information and in the end the only useful auditing
information. I'm in no way suggesting we stop doing that.
My concern is that when the data hits paper there is a Requesting User:
field on the banners. Currently acct= captures that information. I
could, as you suggest, do various username to uid look ups, but:
1) Given that the username is of low integrity, doing a getpwnam() does
nothing to increase that integrity.
2) Converting the name to a number will make the job of correlating a
print out to an audit record harder.
-matt
More information about the redhat-lspp
mailing list