Re: [RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing

Hello, .:: Introduction ::. In its present state, the Linux audit subsystem cannot be used in a Common Criteria (ISO/IEC 15408)[1] CAPP/EAL4+[2] evaluation.  This patch addresses a blocking deficiency in the current implementation regarding the inability to audit file system objects by "name".   Currently, one is limited to using a (inode,device) filter rule to audit syscall access to the object.  This is insufficient for CAPP because (1) the object is not being audited or identified by "name" nor (2) will it remain auditable if the underlying inode changes.  What follows from this requirement is the ability to better observe the _behavior_ of the object. Here is a relevant example show casing the deficiency: The administrator audits "/etc/shadow".  To do so, she adds the filter rule using "/etc/shadow"'s inode and device. She then runs 'passwd' and changes her password. She gives a cusory glance at the audit log and sees that some records have been generated. However, she runs 'passwd' again, checks the log, and sees that no new records have been generated. She does an 'ls -i /etc/shadow' and notices that the inode has changed. Upon closer inspection of the audit log, she realizes that what's there is actually incomplete; audit records were lost due to the inode change before 'passwd' completed execution. The patch is broken into two parts. Part 1: The actual implementation of the file system auditing piece Part 2: The hooks + + + + [1] Common Criteria is an internationally recognized ISO centered around IT security evaluations (http://csrc.nist.gov/cc/) [2] CAPP/EAL4 (Controlled Access Protection Profile)/Evaluation Assurance Level 4+ is for generalized environments with a moderate level of risk to the assets.  For more information about CAPP requirements: http://www.commoncriteriaportal.org/public/files/ppfiles/capp.pdf) -tim