[RFC][PATCH 1/3] CAPP-compliant file system auditing

[Casey Schaufler]

--- "Timothy R. Chavez" <tinytim at us.ibm.com> wrote:


> Due to the subjective nature of "name", the rules
> for auditing a file system 
> object are fairly strict.  In terms of CAPP, the
> "name" is any identifier 
> that a user may specify to access an object in some
> fashion.

It is entirely possible that there may be
viable alternatives to what I'm about to
suggest. I know that the argument below worked
for TSCEC B1, CC CAPP/EAL3 and CC LSPP/EAL3.
Use or ignore, as you chose.

An object is uniquely identified by its
device/inode pair. This is the name of the
object. Users of the system do not refer to
objects directly be their names. The interfaces
provided use pathnames and file descriptors
which are translated internally by the system,
based on the process context, into object names.

Thus, the pathname "/etc/shadow" is not the
name of an object, it is a handle that the
system translates on behalf of a process.
Similarly, an open file is accessed by a
file descriptor, which also identifies an
object but it not the object's name.

Consider the case where a file is open and
unlinked. It has no representation in the
file system name space, yet can still be
accessed. You can put the descriptor in
the audit record, but that's process relative.
When this file is closed, the object is
destroyed, having niether a descriptor nor
a pathname to reference it by.


Casey Schaufler
casey at schaufler-ca.com


		
__________________________________ 
Yahoo! Messenger 
Show us what our next emoticon should look like. Join the fun. 
http://www.advision.webevents.yahoo.com/emoticontest