Re: [RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing
On Fri, 2005-04-01 at 11:07 -0600, Timothy R. Chavez wrote:
The audit subsystem is currently incapable of auditing a file system
object
based on its location and name. This is critical for auditing well-defined
and security-relevant locations such as /etc/shadow, where the inode is
mutable,
I think "where the file is re-created on each transaction" is clearer
than "where the inode is mutable". YMMV. To me, the latter just says
that the inode's state can be changed (e.g. its mode, flags, etc), which
isn't quite the same as the issue of having an entirely new inode
created and associated with the /etc/shadow location on every
transaction.
and can not rely on the (device, inode)-based filters to ensure
persistence of auditing across transactions. This patch adds the necessary
functionality to the audit subsystem and VFS to support file system auditing
in which an object is audited based on its location and name. This work is
being done to make the audit subsystem compliant with Common Criteria's
Controlled Access Protection Profile (CAPP) specification.
Looks good otherwise.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency