best way to audit in vfs
Leigh Purdie
Leigh.Purdie at intersectalliance.com
Wed Dec 15 21:37:54 UTC 2004
> > eg: normal user$ echo "+ + someuser" > /etc/hosts.equiv
> > bash: /etc/hosts.equiv: No such file or directory
> >
> > In general, two (or more) audit events could be generated here:
> > * Permission denied on create file, in /etc (which would be covered by
> > the permission() inode), and
> > * User attempted to WRITE to /etc/hosts.equiv, and failed.
>
> Note that what you're asking for goes beyond literal CAPP requirements:
Unfortunately, there are many examples of where CAPP requirements, and
real-world-usage significantly differ. :)
I suspect this is more of a political discussion than something that
deserves to be in a feature-set analysis ;) .. but since the two
slightly overlap; based on over 10 years of working with audit
subsystems on many OS's, in many agencies, I'm just trying to bring a
summary of the key customer requirements that we've seen over time to
the discussion.
By all means, have a goal of meeting C2/CAPP requirements - it's very
important to have on the checklist for federal government (and other
sectors) acceptance (and looks good on the marketing stuff too). Just
keep an open mind w.r.t things that CAPP doesn't cover, and try not to
cripple your design too much to meet the more 'practically inefficient'
requirements of CAPP. Otherwise, we'll end up with a technically
brilliant, but practically unworkable, audit subsystem for Linux.
The CAPP evaluation guys are pretty flexible - don't think of the CAPP
requirements as carved in stone. They work on a strategy of risk
management these days, rather than risk avoidance - so if you can
provide adequate justification why a particular feature was not
implemented quite the way they anticipated, it should not be a barrier
to accreditation.
However, I do take your point on creating a file, to audit the file. I
should probably mention though, that both Solaris, and AIX (and also
Irix, from memory), are capable of auditing 'non existent' files - so if
we were aiming for a best-of-breed implementation, it might be a
capability that we want to investigate.
Hope this contributes something to the mix. :)
L.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
More information about the Linux-audit
mailing list