RE: [redhat-lspp] Re: New Audit types
I think you're missing a subtle point. Assume that the user has the
permissions to read secret and write to an unlabeled media. Assume they
have
properly allocated the device and are ready to do something.
Given that, what is the correct action? LSPP says that its an auditable
event
- it doesn't say it must be prevented. Should each program that
does this
be
patched or does a central mechanism in the kernel need to handle
this?
I believe this should be covered by the existing syscall auditing such as
open and others. The LSPP doesn't state the auditing of the export has to be
any different than other fs auditing, just that it has to occur IMHO. The
additional requirement is the device allocation auditing requirements. An
audit analyst should *hopefully* be able to correlate what has been exported
given these events.
-Chad