Re: [RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing
On Friday 01 April 2005 10:51 am, Stephen Smalley wrote:
On Fri, 2005-04-01 at 10:47 -0600, Timothy R. Chavez wrote:
> Hm. Ok...
>
> So how about I do this all in one message, cut out the general overview
> and hook explanations and save those for discussion? By the time this
> goes to fsdevel there should be an audit package in-sync with the RFC
> patch.
Possibly you can do it as two messages, i.e.
[1/2] includes the intro text, hook explanations, and hook patch (which
is the most important piece to get accepted by the kernel developers)
[2/2] includes design/implementation description of the auditfs.c code
and the patch for it (which is mostly just so that they can go look at
it when they aren't sure how you are using a given hook).
I'll be out for the rest of the day, unfortunately, but, I'll leave you with
the newest incarnation of the intro message to critique and the rest will be
done by tonight (or early this morning) and I suspect you'll be happily
sleeping by then :)
Hello,
The audit subsystem is currently incapable of auditing a file system object
based on its location and name. This is critical for auditing well-defined
and security-relevant locations such as /etc/shadow, where the inode is
mutable, and can not rely on the (device, inode)-based filters to ensure
persistence of auditing across transactions. This patch adds the necessary
functionality to the audit subsystem and VFS to support file system auditing
in which an object is audited based on its location and name. This work is
being done to make the audit subsystem compliant with Common Criteria's
Controlled Access Protection Profile (CAPP) specification.
--
-tim