CAPP auditable events

[Steve Grubb]

On Monday 18 July 2005 11:55, Amy Griffis wrote:
> I'm interested in defining a set of audit rules/watches that, when
> loaded, cause audit to generate the set of auditable events required
> by CAPP (CAPP, pp. 19-21).

I am interested in packaging something in a contrib directory. Maybe we can 
all help in this so there is a base line that can be tweeked for a particular 
security target.

> I've consulted a variety of sources, including the CAPP specification
> itself, the LAuS design document, and the LAuS filter.conf file
> provided with our CAPP certification RPM.  From that, I have a
> configuration I believe to be fairly complete.

Great. I would be interested in seeing the config. Maybe others can comment on 
them. There is the issue of per arch syscall differences. I had hoped that 
someone somewhere would have started trying to actually use the audit system 
for a real CAPP style config. I think we would have heard from them on this 
and other issues regarding usability.

> Is there a follow-on to the CAPP spec that provides a definitive
> technical specification of the auditable events for linux 2.6; for
> instance, by listing the specific system calls?

No. This would be spelled out in the security target. I would imagine that all 
of the files in /etc that involve user accounts, machine identity, and 
certain config files would have a watch. I also think that syscalls won't be 
used too much except as related to a specific inode. Syscalls that set the 
machine name or time would probably be audited, but I think that's all.

-Steve