[PATCH] support using pam_audit.so in "account" stack

Casey Schaufler casey at schaufler-ca.com
Tue Feb 22 02:13:37 UTC 2005 

--- Klaus Weidner <klaus at atsec.com> wrote:

> On Mon, Feb 21, 2005 at 02:44:10PM -0800, Casey
> Schaufler wrote:
> > --- Klaus Weidner <klaus at atsec.com> wrote:
> > > I'm not aware of an explicit CAPP requirement
> for
> > > logout messages, so I'd
> > > consider that to be a "nice to have" feature.
> > 
> > You need a logout message. Really.
> 
> Can you point to a specific requirement in CAPP
> related to that?

Nope. On the other hand, I cannot point to
a system that has been successfully evaluated
that does not do this.
 
> Note that even if you have logout records, they are
> not a reliable
> indication that the session is complete, there may
> be background
> processes launched by the user that keep running
> (and potentially
> generating audit events) after the logout message.

This will, of course, depend on how carefully
you've defined a "session". A detached process
that is not associated with a controlling tty 
cannot interact with the user, hence need not
be considered a part of the user's session.
On the other hand, the collection on processes
started by a cron job is a session, even though
no user is interacting.

My point? It's not enough to have code that
does auditing. No evaluation team, even a
Spanish team using the Common Criteria, will
have any patience with you if you take the
attitude of "show me where it says I have to
do this". Especially if you use the fact that
the system makes audit hard to explain as the
grounds for your argument. You need to define
the audit strategy that answers questions like:

- I have a login message, why isn't there a
  logout message?

- I found the event I was after. How do I find
  out when the evil person logged in, and when
  she logged out?

> If you need that kind
> of information and you aren't satisfied with the
> login UID, you need to
> trace all fork/exec/exit events for the session.

Auditing the introduction (fork) and
deletion (exit) of subjects (processes)
is certainly a requirement. But take heart,
you only have to be able to do it, you
are only required to do all the time
it if there's no other way to track the
session. A logout message does wonders
toward having a compelling story without
this level of audit.


=====
Casey Schaufler
casey at schaufler-ca.com


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250

More information about the Linux-audit mailing list