Re: [PATCH] support using pam_audit.so in "account" stack
--- Klaus Weidner <klaus(a)atsec.com> wrote:
On Mon, Feb 21, 2005 at 06:13:37PM -0800, Casey
Schaufler wrote:
> Nope. On the other hand, I cannot point to a
system that has been
> successfully evaluated that does not do this.
RHEL3, SLES8 and SLES9 have all been successfully
evaluated as CAPP
compliant with no logout messages...
Well, then I guess you're right and I'm wrong.
> This will, of course, depend on how carefully
you've defined a
> "session". A detached process that is not
associated with a controlling
> tty cannot interact with the user, hence need not
be considered a part
> of the user's session.
Well, they are running on behalf of that user and
need to be audited in
the same way as if the user were still logged in.
And the "interactive"
distinction is fuzzy at best - what about programs
run in a "screen"
session that get detached and reattached later? Or a
background program
that opens a network socket accepting interactive
commands? That's why a
logout message is far less informative than a login
message, it doesn't
correspond to any particularily interesting or
security relevant event.
It is interesting as a bracket for a group
of activities, just as the login is.
> On the other hand, the collection on processes
started by a cron job is
> a session, even though no user is interacting.
Agreed, that's why crond needs to be instrumented to
set up a proper
audit context for the code run on the user's behalf,
including the
correct login UID. It doesn't mean that cron needs
to write login/logout
records.
Hum. We had to for our TCSEC evaluation,
and carried the code into the CC evaluation
because it was still working.
> My point? It's not enough to have code that does
auditing. No
> evaluation team, even a Spanish team using the
Common Criteria, will
> have any patience with you if you take the
attitude of "show me where
> it says I have to do this". Especially if you use
the fact that the
> system makes audit hard to explain as the grounds
for your argument.
Well, I'd have little patience with evaluation teams
that expect me to
implement something that clearly isn't required.
Ah, the Orange Book days were a bit tougher.
It's the evaluator's job
to verify that you correctly implement the features
your product claims
to have and that the claims match the chosen
profile, not to dictate a
design.
That was a major source of contention
back in the day.
> - I found the event I was after. How do I find out
when the evil person
> logged in, and when she logged out?
The login message will be present, and tells you
interesting things such
as when and from where the person logged in and what
authentication
method was used. Instead of asking for a logout
time, the more
interesting question would be if any processes
launched by that person
are still active, and a logout message doesn't help
determine that.
Perhaps.
A logout message would be useful if the system
guaranteed that all
processes launched by that user are definitely
terminated at that time,
but that goes beyond the requirements of CAPP.
It's still useful to know when the user session
ended, even if all the activities haven't ceased.
> A logout message does wonders toward having a
compelling story without
> this level of audit.
Hmmm, the type of evaluation I'm used to generally
involves testing
instead of having the developer tell stories ;-)
This is a major difference between the TCSEC
and CC evaluations. We told lots and lots of
stories in the TCSEC days.
Maybe we'll just have to agree to disagree here,
there are different ways
to approach this issue. The CAPP audit requirements
are fairly basic and
aren't intended to be useful for all purposes.
True enough.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com