----- Forwarded message from Serge Hallyn <serue(a)us.ibm.com&gt; ----- From: Serge Hallyn <serue(a)us.ibm.com&gt; To: Crispin Cowan <crispin(a)immunix.com&gt; Message-Id: <1095258766.5294.28.camel(a)serge.austin.ibm.com&gt; X-Mailer: Ximian Evolution 1.4.5 Date: Wed, 15 Sep 2004 09:32:46 -0500 Cc: LSM <linux-security-module(a)wirex.com&gt; Subject: Re: [PATCH] LSM hooks for audit Sorry, on a second look I notice the descriptions in security.h are far less helpful than I'd thought! The new hooks allow an LSM to refuse a process the ability to: view a list of audit rules add to the list of audit rules delete an audit rule set audit parameters (ie enable/disable audit, rate limit, etc) create a 'login' audit record. The last one is the most dubious one in my mind, but we do want to prevent a user from sending fake login audit messages, either to mislead the auditor or to fill the log with garbage. Note that the audit code (kernel/audit.c and kernel/auditsc.c) is in the kernel now. This patch only allows LSMs to restrict processes' interaction with the audit subsystem. At the moment, some of this interaction depends upon CAP_SYS_ADMIN, and some (like listing the audit rules) is always allowed. -serge On Wed, 2004-09-15 at 08:01, Crispin Cowan wrote: -- ======================================================= Serge Hallyn Security Software Engineer, IBM Linux Technology Center serue(a)us.ibm.com ----- End forwarded message -----