Re: audit.56 merged with audit-2.6.git
On Thu, Jun 09, 2005 at 09:54:39AM -0400, Steve Grubb wrote:
No audit records are generated when I made the file world readable. I
suppose
you could hook the right syscalls, but that would provide way too much info.
The reason I ask is Table 1 of CAPP, FMT_MSA.3 says that we should be able
to audit all modifications to the initial value of security attributes &
modifications to permissive or restrictive rules. Maybe I misunderstand the
application of this requirement, but that seems like file permissions.
CAPP also requires auditability of "all modifications to the values of
security attributes" (5.4.1 FMT_MSA.1) which includes chmod/chown etc.
FMT_MSA.3 is more concerned with default properties such as the umask
setting.
The auditable events table in CAPP doesn't list "the identity of the
object" explicitly for that event class, so taken literally you could
argue that the syscall audit capability with (device inode) pairs and
call arguments would cover this requirement. I'd consider that to be
against the spirit of CAPP; the point of audit should be to have a record
of security relevant changes which should include chmod/chown and similar
changes.
-Klaus