best way to audit in vfs

Klaus Weidner klaus at atsec.com
Wed Dec 15 22:03:52 UTC 2004 

On Thu, Dec 16, 2004 at 08:37:54AM +1100, Leigh Purdie wrote:
> Unfortunately, there are many examples of where CAPP requirements, and
> real-world-usage significantly differ. :)
> 
> I suspect this is more of a political discussion than something that
> deserves to be in a feature-set analysis ;) .. but since the two
> slightly overlap; based on over 10 years of working with audit
> subsystems on many OS's, in many agencies, I'm just trying to bring a
> summary of the key customer requirements that we've seen over time to
> the discussion.

Your input is very valuable to this, and I agree that the goal should be
to have something generally useful and not just strictly doing the bare
minimum needed to meet the CAPP requirements.

However, I think it helps in this discussion to at least keep in mind
where different requirements are coming from, since the different
expectations people have about what the audit system is supposed to do
are different enough already.

Roughly, I think there are at least the following separate goals:

- achieving basic CAPP compliance so that a product using this
  implementation can be used in environments where this is formally
  required.

- provide useful security event auditing during normal system operation,
  similar in spirit to CAPP but differing in details, such as performance
  requirements, additional flexibility needed, and maybe not insisting on
  some details that CAPP specifies.

- provide information suitable for forensics in case something really
  unexpected happens. Some ideas mentioned here concerned the information
  available after a crash, maybe involving the exploit of a previously
  unknown security flaw.

- provide a debugging tool - I hope we're mostly in agreement that this
  isn't something that the audit system should be designed for, that
  should be a separate tracing system that maybe shares some
  infrastructure.

The point is that it's worthwhile to at least look at different
requirements, but not to get bogged down in attempts to achieve the
"perfect" system, especially if that turns out to be impossible due to
conflicting requirements. I personally think that a combination of the
first two (CAPP + real-world usefulness) is achievable but adding more
requirements runs the risk of not getting any working solution at all
anytime soon.

-Klaus

More information about the Linux-audit mailing list