AVC messages
Stephen Smalley
sds at epoch.ncsc.mil
Tue Jan 4 21:28:33 UTC 2005
On Tue, 2005-01-04 at 16:20, Chad Hanson wrote:
> What type of audit log separation are you suggesting?
First and foremost, just separating the SELinux audit messages from
other kernel log messages, i.e. don't send them to syslogd and don't put
them in /var/log/messages. Then, if desired, separate them from DAC
audit messages.
> I would think SELinux AVC messages could logged to separate location.
> However, even a failed request because of DAC needs to have complete MAC
> information (label/type) of subject and object in the audit record for LSPP.
That will require a callback by the kernel audit framework into the
security module to get the supplementary information (e.g. the security
contexts) for inclusion in the DAC audit record, as the kernel audit
framework has no direct knowledge of security contexts.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list