Re: LSPP audit enablement: example audit records with subj/obj labels

Friday, 21 October 2005

On 10/20/05, Linda Knippers <linda.knippers(a)hp.com&gt; wrote:
...
 > At this point, the subj/obj label is simply appended onto the
end of the
 > existing audit record for the associated subject or object.  Steve has
 > mentioned that this will get more complicated when a given subject acts
 > on multiple objects (though I haven't found a good way to test this
 > behavior yet).

 In most cases where there are multiple objects, wouldn't each have its
 own record (like the PATH record) so it would be clear which object the
 label is for? 
That's my guess right now, Linda.  I'm looking forward to seeing what
happens once Amy & Tim's fs watch code and my code are merged so that I
can test it out and see what it looks like.  There's a distinct
possibility that it'll just work cleanly as you suggested.

...
 > If there are strong feelings one way or another, let's
please
 > discuss them now.

 I used to think the information should be separate but I don't think
 so anymore. 
Thanks, I'm happy that at least someone else likes it this way. :-D

I guess we have to remember that the ausearch et al. tools could be
augmented to sew together auxiliary records if they were separated.  But
doing it this way greatly simplifies that aspect of the work to be done.
If this is intuitive and effect for LSPP compliance, I would lean toward
doing it this way and maintaining a list of future work items that
perhaps includes separating these labels out as aux records at some
point later.

:-Dustin

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004