best way to audit in vfs
Klaus Weidner
klaus at atsec.com
Wed Dec 15 21:14:33 UTC 2004
On Thu, Dec 16, 2004 at 07:45:00AM +1100, Leigh Purdie wrote:
> Does this approach still allow us to cover the example of failed file-
> opens (no such file or dir), where an inode does not exist, but the
> administrator wants an indication that the attempt was made?
>
> eg: normal user$ echo "+ + someuser" > /etc/hosts.equiv
> bash: /etc/hosts.equiv: No such file or directory
>
> In general, two (or more) audit events could be generated here:
> * Permission denied on create file, in /etc (which would be covered by
> the permission() inode), and
> * User attempted to WRITE to /etc/hosts.equiv, and failed.
Note that what you're asking for goes beyond literal CAPP requirements:
5.2.2 FDP_ACF.1
Event: All requests to perform an operation on an object covered by the SFP
Details: The identity of the object.
("Details" are in addition to the required "Date and time of the event,
type of event, subject identity, and the outcome (success or failure) of
the event")
A file that doesn't exist is not an object and it can't have an operation
performed on it. The admin could always create an empty file as a
placeholder for an unused trusted database (which /etc/hosts.equiv isn't
for the planned RHEL ST) to get write attempts audited anyway.
You could also consider the file creation as an operation on the
*directory* and get it audited that way, meaning that an admin should
specify audit rules for the directory to be informed about failed
attempts to create new files.
-Klaus
More information about the Linux-audit
mailing list