Re: [PATCH] support using pam_audit.so in "account" stack

--- Klaus Weidner <klaus(a)atsec.com&gt; wrote: Nope. On the other hand, I cannot point to a system that has been successfully evaluated that does not do this. This will, of course, depend on how carefully you've defined a "session". A detached process that is not associated with a controlling tty cannot interact with the user, hence need not be considered a part of the user's session. On the other hand, the collection on processes started by a cron job is a session, even though no user is interacting. My point? It's not enough to have code that does auditing. No evaluation team, even a Spanish team using the Common Criteria, will have any patience with you if you take the attitude of "show me where it says I have to do this". Especially if you use the fact that the system makes audit hard to explain as the grounds for your argument. You need to define the audit strategy that answers questions like: - I have a login message, why isn't there a logout message? - I found the event I was after. How do I find out when the evil person logged in, and when she logged out? Auditing the introduction (fork) and deletion (exit) of subjects (processes) is certainly a requirement. But take heart, you only have to be able to do it, you are only required to do all the time it if there's no other way to track the session. A logout message does wonders toward having a compelling story without this level of audit. ===== Casey Schaufler casey(a)schaufler-ca.com __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250