On Thu, Dec 16, 2004 at 07:45:00AM +1100, Leigh Purdie wrote:
Does this approach still allow us to cover the example of failed
file-
opens (no such file or dir), where an inode does not exist, but the
administrator wants an indication that the attempt was made?
eg: normal user$ echo "+ + someuser" > /etc/hosts.equiv
bash: /etc/hosts.equiv: No such file or directory
In general, two (or more) audit events could be generated here:
* Permission denied on create file, in /etc (which would be covered by
the permission() inode), and
* User attempted to WRITE to /etc/hosts.equiv, and failed.
Note that what you're asking for goes beyond literal CAPP requirements:
5.2.2 FDP_ACF.1
Event: All requests to perform an operation on an object covered by the SFP
Details: The identity of the object.
("Details" are in addition to the required "Date and time of the event,
type of event, subject identity, and the outcome (success or failure) of
the event")
A file that doesn't exist is not an object and it can't have an operation
performed on it. The admin could always create an empty file as a
placeholder for an unused trusted database (which /etc/hosts.equiv isn't
for the planned RHEL ST) to get write attempts audited anyway.
You could also consider the file creation as an operation on the
*directory* and get it audited that way, meaning that an admin should
specify audit rules for the directory to be informed about failed
attempts to create new files.
-Klaus