Re: [PATCH] LSPP audit enablement: storing selinux ocontext and scontext
On Thu, 2005-07-28 at 15:03 -0400, Amy Griffis wrote:
I have some comments about this patch as well, but I think I'll
hold them until we discuss the LSPP audit requirements. As Steve
previously mentioned, it's really not appropriate to be looking at
code when we haven't yet discussed what needs to be done.
I was trying the "release early, release often" approach ;)
If you have already researched the requirements, please include a
listing with your patch, along with an explanation of how your patch
meets those requirements. There is more to it than "basically
appending object context and subject context labels to audit records".
If you haven't done any investigation, let us know, so someone can
work up a first draft of the requirements for us to discuss.
This isn't exactly re-designing audit from the ground up... It's adding
information to existing audit records, beyond what CAPP requires.
See the LSPP specification, section 5.1.1.2(b), copied here for your
convenience:
5.1 Security Audit (FAU)
5.1.1 Audit Data Generation (FAU_GEN.1)
5.1.1.1
The TSF shall be able to generate an audit record of the auditable
events listed in column “Event” of Table 1 (Auditable Events). This
includes all auditable events for the basic level of audit, except
FIA_UID.1’s user identity during failures.
5.1.1.2
The TSF shall record within each audit record at least the following
information:
a) Date and time of the event, type of event, subject identity, and the
outcome
b) The sensitivity labels of subjects, objects, or information
involved; and
c) The additional information specified in the “Details” column of
Table 1 (Auditable Events).
The patch submitted attempts to add (b) beyond what CAPP audit already
provides. I was hoping for feedback on where the patch falls short
accomplishing this. If you want to have a design discussion first,
let's begin.
:-Dustin
Attachments:
- signature.asc (application/pgp-signature — 189 bytes)