audit 0.6 release
Casey Schaufler
casey at schaufler-ca.com
Fri Jan 7 00:23:39 UTC 2005
--- Leigh Purdie <Leigh.Purdie at intersectalliance.com>
wrote:
> Tagging an inode with an audit flag is a good
> starting point to gain a
> capability,
One thing I've noticed is that no one has ever
asked to audit by inode number. Both Sun and SGI
rejected the notion of tagging a file for audit
not because it was hard (it isn't) but because
"copy, edit, replace" is the norm and the tags
get lost too easily.
> but I think we need to find a more
> comprehensive solution to
> provide an effective auditing subsystem that meets
> the 'filtering'
> requirements of many organisations..
The SGI audit records include
- Current Root
- Current directory
- The path requested
- The path resolved
- The device and inode
- All file attributes, including extended ones.
If /tmp/wombat is a symlink to /etc/passwd an open
record would include:
- /
- /home/btcat
- /tmp/wombat
- //tmp/>wombat//etc//passwd
- major,minor,86753
- stat info, ACL, MAC_LABEL, ...
allowing filtering on "passwd", which the syscall
never saw.
> Also, w.r.t the success flag, we've encountered
> situations where a user
> wants to filter on both:
> * A broad success/failure, and
> * specific return/error codes
It is most important to distinguish access control
decisions from user errors.
=====
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
More information about the Linux-audit
mailing list