On Wed, Apr 06, 2005 at 11:21:26AM -0400, Steve Grubb wrote:
BTW, If I send a SIGKILL to the audit daemon - it gets yanked out of
memory by
the kernel without any courtesy. I wonder how this was covered by laus or is
this considered outside the bounds of what is reasonable? Same thing with a
user shell, there won't be a pam_close_session call.
Sending SIGKILL auditd needs administrator privileges, and for CAPP we
can assume/require them not to do that.
The pam_close_session record isn't required by CAPP, we had a discussion
about session end records some time ago. It's generally less reliable
than the start record anyway since the session close record doesn't mean
that all processes launched by that user have terminated; some may have
been backgrounded.
For LSPP are there additional requirements that we should consider
now so that
this doesn't come up "next time"?
LSPP has essentially the same audit requirements as CAPP, it only adds
requirements for new fields related to the "sensitivity labels of
subjects, objects, or information involved".
-Klaus