Re: [redhat-lspp] Watch question
--- Amy Griffis <amy.griffis(a)hp.com> wrote:
Timothy R. Chavez wrote: [Fri Apr 28 2006,
11:29:27AM EDT]
> On Fri, 2006-04-28 at 08:50 -0400, Steve Grubb
wrote:
> > I completely disagree with the current file
system auditing approach requiring
> > explicit syscall coupling. I think it is a big
problem for the security
> > community to have a tool for auditing files that
requires knowledge of
> > syscalls.
This audit subsystem was designed around knowledge
of syscalls, to the
point that it requires the user to know whether a
particular rule
field is applicable at syscall entry or exit time.
(!)
The alternative to understanding system calls is
understanding the underlying security policy in
detail, and in truth you'll get lost pretty
quickly if you don't understand both on whatever
system you're using. For audit to be complete it
must be done at a low enough level that access
control decisions can be observed. Since access
control is deeply embedded in the system it is
necessary to embed audit as well. Systems that
use a explicitly modular reference monitor have
an advantage, but are still constrained by the
information provided them. (reference the recent
"inode" vs. "pathname" discussion on LSM)
It is also the case that auditing must be coupled
to the action requested. I'll admit that open()
is not a very informative event, and that ioctl()
is even worse. But for "real intent" there is no
metric.
Casey Schaufler
casey(a)schaufler-ca.com