[RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing

[Stephen Smalley]

On Fri, 2005-04-01 at 11:07 -0600, Timothy R. Chavez wrote:
> The audit subsystem is currently incapable of auditing a file system object 
> based on its location and name.  This is critical for auditing well-defined 
> and security-relevant locations such as /etc/shadow, where the inode is 
> mutable,

I think "where the file is re-created on each transaction" is clearer
than "where the inode is mutable".  YMMV.  To me, the latter just says
that the inode's state can be changed (e.g. its mode, flags, etc), which
isn't quite the same as the issue of having an entirely new inode
created and associated with the /etc/shadow location on every
transaction.

>  and can not rely on the (device, inode)-based filters to ensure 
> persistence of auditing across transactions. This patch adds the necessary 
> functionality to the audit subsystem and VFS to support file system auditing 
> in which an object is audited based on its location and name.  This work is 
> being done to make the audit subsystem compliant with Common Criteria's 
> Controlled Access Protection Profile (CAPP) specification.

Looks good otherwise.

-- 
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency