Re: audit 0.6 release
--- Leigh Purdie <Leigh.Purdie(a)intersectalliance.com>
wrote:
Tagging an inode with an audit flag is a good
starting point to gain a
capability,
One thing I've noticed is that no one has ever
asked to audit by inode number. Both Sun and SGI
rejected the notion of tagging a file for audit
not because it was hard (it isn't) but because
"copy, edit, replace" is the norm and the tags
get lost too easily.
but I think we need to find a more
comprehensive solution to
provide an effective auditing subsystem that meets
the 'filtering'
requirements of many organisations..
The SGI audit records include
- Current Root
- Current directory
- The path requested
- The path resolved
- The device and inode
- All file attributes, including extended ones.
If /tmp/wombat is a symlink to /etc/passwd an open
record would include:
- /
- /home/btcat
- /tmp/wombat
- //tmp/>wombat//etc//passwd
- major,minor,86753
- stat info, ACL, MAC_LABEL, ...
allowing filtering on "passwd", which the syscall
never saw.
Also, w.r.t the success flag, we've encountered
situations where a user
wants to filter on both:
* A broad success/failure, and
* specific return/error codes
It is most important to distinguish access control
decisions from user errors.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail