[PATCH] support using pam_audit.so in "account" stack

Tue Feb 22 05:09:52 UTC 2005

--- Klaus Weidner <klaus at atsec.com> wrote:

> On Mon, Feb 21, 2005 at 06:13:37PM -0800, Casey
> Schaufler wrote:
> > Nope. On the other hand, I cannot point to a
> system that has been
> > successfully evaluated that does not do this.
> 
> RHEL3, SLES8 and SLES9 have all been successfully
> evaluated as CAPP
> compliant with no logout messages...

Well, then I guess you're right and I'm wrong.

> > This will, of course, depend on how carefully
> you've defined a
> > "session". A detached process that is not
> associated with a controlling
> > tty cannot interact with the user, hence need not
> be considered a part
> > of the user's session.
> 
> Well, they are running on behalf of that user and
> need to be audited in
> the same way as if the user were still logged in.
> And the "interactive"
> distinction is fuzzy at best - what about programs
> run in a "screen"
> session that get detached and reattached later? Or a
> background program
> that opens a network socket accepting interactive
> commands? That's why a
> logout message is far less informative than a login
> message, it doesn't
> correspond to any particularily interesting or
> security relevant event.

It is interesting as a bracket for a group
of activities, just as the login is.

> > On the other hand, the collection on processes
> started by a cron job is
> > a session, even though no user is interacting.
> 
> Agreed, that's why crond needs to be instrumented to
> set up a proper
> audit context for the code run on the user's behalf,
> including the
> correct login UID. It doesn't mean that cron needs
> to write login/logout
> records.

Hum. We had to for our TCSEC evaluation,
and carried the code into the CC evaluation
because it was still working.

> > My point? It's not enough to have code that does
> auditing. No
> > evaluation team, even a Spanish team using the
> Common Criteria, will
> > have any patience with you if you take the
> attitude of "show me where
> > it says I have to do this". Especially if you use
> the fact that the
> > system makes audit hard to explain as the grounds
> for your argument.
> 
> Well, I'd have little patience with evaluation teams
> that expect me to
> implement something that clearly isn't required.

Ah, the Orange Book days were a bit tougher.

> It's the evaluator's job
> to verify that you correctly implement the features
> your product claims
> to have and that the claims match the chosen
> profile, not to dictate a
> design.

That was a major source of contention
back in the day.

> > - I found the event I was after. How do I find out
> when the evil person
> > logged in, and when she logged out?
> 
> The login message will be present, and tells you
> interesting things such
> as when and from where the person logged in and what
> authentication
> method was used. Instead of asking for a logout
> time, the more
> interesting question would be if any processes
> launched by that person
> are still active, and a logout message doesn't help
> determine that.

Perhaps.

> A logout message would be useful if the system
> guaranteed that all
> processes launched by that user are definitely
> terminated at that time,
> but that goes beyond the requirements of CAPP.

It's still useful to know when the user session
ended, even if all the activities haven't ceased.

> > A logout message does wonders toward having a
> compelling story without
> > this level of audit.
> 
> Hmmm, the type of evaluation I'm used to generally
> involves testing
> instead of having the developer tell stories ;-)

This is a major difference between the TCSEC
and CC evaluations. We told lots and lots of
stories in the TCSEC days.

> Maybe we'll just have to agree to disagree here,
> there are different ways
> to approach this issue. The CAPP audit requirements
> are fairly basic and
> aren't intended to be useful for all purposes.

True enough.

=====
Casey Schaufler
casey at schaufler-ca.com

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 