[RFC][PATCH 0/3] CAPP-compliant file system auditing

Hello, .:: Introduction ::. In its present state, the Linux audit subsystem cannot be used in a Common Criteria (ISO/IEC 15408)[1] CAPP/EAL4+[2] evaluation. This patch addresses a blocking deficiency in the current implementation regarding the inability to audit file system objects by "name". Currently, one is limited to using a (inode,device) filter rule to audit syscall access to the object. This is insufficient for CAPP because (1) the object is not being audited by "name" nor (2) will it remain auditable if the underlying inode changes. What follows from this requirement is the ability to better observe the _behavior_ of the "named" object, rather then just access to the "named" object. Here is a relevant example show casing the deficiency: The administrator audits "/etc/shadow". To do so, she adds the filter rule using /etc/shadow's current inode and device. Then, she runs 'passwd' to change her password. She consults the audit log and sees that some records have been generated, but when she runs 'passwd' again, she notices that no longer are audit records being generated. She does an 'ls -i /etc/shadow' and notices that the inode has changed. She then decides to consult the audit log and comes to the realization that what's there is incomplete and does not tell the complete story of /etc/shadow during the execuation of 'passwd'. The patch is broken into two parts. Part 1: The actual implementation of the file system auditing piece Part 2: The hooks + + + + [1] Common Criteria is an internationally recognized ISO centered around IT security evaluations (http://csrc.nist.gov/cc/) [2] CAPP/EAL4 (Controlled Access Protection Profile)/Evaluation Assurance Level 4+ is for generalized environments with a moderate level of risk to the assets. For more information about CAPP requirements: http://www.commoncriteriaportal.org/public/files/ppfiles/capp.pdf) -tim