[PATCH] LSPP audit enablement: storing selinux ocontext and scontext
Dustin Kirkland
dustin.kirkland at us.ibm.com
Thu Jul 28 19:59:49 UTC 2005
On Thu, 2005-07-28 at 15:03 -0400, Amy Griffis wrote:
> I have some comments about this patch as well, but I think I'll
> hold them until we discuss the LSPP audit requirements. As Steve
> previously mentioned, it's really not appropriate to be looking at
> code when we haven't yet discussed what needs to be done.
I was trying the "release early, release often" approach ;)
> If you have already researched the requirements, please include a
> listing with your patch, along with an explanation of how your patch
> meets those requirements. There is more to it than "basically
> appending object context and subject context labels to audit records".
>
> If you haven't done any investigation, let us know, so someone can
> work up a first draft of the requirements for us to discuss.
This isn't exactly re-designing audit from the ground up... It's adding
information to existing audit records, beyond what CAPP requires.
See the LSPP specification, section 5.1.1.2(b), copied here for your
convenience:
5.1 Security Audit (FAU)
5.1.1 Audit Data Generation (FAU_GEN.1)
5.1.1.1
The TSF shall be able to generate an audit record of the auditable
events listed in column “Event” of Table 1 (Auditable Events). This
includes all auditable events for the basic level of audit, except
FIA_UID.1’s user identity during failures.
5.1.1.2
The TSF shall record within each audit record at least the following
information:
a) Date and time of the event, type of event, subject identity, and the
outcome
b) The sensitivity labels of subjects, objects, or information
involved; and
c) The additional information specified in the “Details” column of
Table 1 (Auditable Events).
The patch submitted attempts to add (b) beyond what CAPP audit already
provides. I was hoping for feedback on where the patch falls short
accomplishing this. If you want to have a design discussion first,
let's begin.
:-Dustin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050728/f42c28b7/attachment.sig>
More information about the Linux-audit
mailing list