Hi Steve,
> Can you describe what types of messages you'd expect to be in
each
> range?
I thought this was already discussed a while back.
Yeah, I asked some questions back then too.
> I'm unclear on what's an LSPP event and when a trusted
program
> would be expected to use the LSPP range vs. the 1100-1199 "user space
> trusted application messages",
For example, new role changing roles. Or assigning a user to a se linux user.
Would non-LSPP customers also care about these events? If so, then I
think calling these LSPP events is too narrow.
> especially if the trusted program is part of the CAPP ST, the
LSPP ST and
> also generally interesting.
If its in CAPP, its a CAPP message.
If CUPS is part of the CAPP evaluated configuration, and CUPs is being
modified to meet LSPP audit requirements, should its events be in the
trusted program range or the LSPP range? What about audit events
that are specific to RBAC? To me its confusing to categorize events
by the protection profile that caused the code to be added, especially
if we think audit will be used by customers who might not know or
care what a PP is. I think it would be better to group them by the
types of things an admin might be interested in. I guess it doesn't
matter if the ranges aren't exposed to the administrator but it
seems like they will be.
> I'm also not unclear on what the anomoly related records
would be.
This is related to the intrusion detection/prevention module.
Ok, from the description it sounded like anything abnormal (is a
authentication failure an anomaly?) could fit that range. Maybe
having IDS in the description would help.
-- ljk