[redhat-lspp] Re: audit records when specifying an invalid context at ssh login
Casey Schaufler
casey at schaufler-ca.com
Thu Feb 8 18:48:09 UTC 2007
--- Tomas Mraz <tmraz at redhat.com> wrote:
> Yes, that's the current one. We actually audit just
> the case when user
> requests a level change, not the role change.
That surprises me. If roles are included in your
security claims I would consider changing roles
a change in the security state, and hence quite
relevant, thus requiring audit.
> We also do not audit the
> case where the requested level is invalid.
You can argue that on the basis of not auditing
user errors ...
> There is just a message
> in /var/log/secure for that case.
... except that by doing that you're saying
that it does matter. That's going to make it
difficult to explain what your audit policy
is. Not impossible, but you don't want to
have to explain every decision along these
lines.
Casey Schaufler
casey at schaufler-ca.com
More information about the redhat-lspp
mailing list