[redhat-lspp] RFC: Audit Failure Action Design Proposal
Casey Schaufler
casey at schaufler-ca.com
Mon May 1 20:06:07 UTC 2006
--- Lisa Smith <lisa.m.smith at hp.com> wrote:
> Hi,
>
> Attached is the design proposal for the audit
> failure action project.
> Please review it and send me any comments.
I would expect these facilties to be included
in the audit daemon along with other real-time
event processing. I would not expect an
application or application system such as cups
to be integrated into the processing of audit
events.
Consider the MLS implications for starters. What
sensitivity ought to be applied to an audit event?
Is it appropriate to send cups an event at that
sensitivity, and if so, what ought it do with it,
and how sure can you be that you haven't designed
in a data channel?
The audit daemon can make those choices and is the
correct place to put such processing.
Casey Schaufler
casey at schaufler-ca.com
More information about the redhat-lspp
mailing list