[PATCH] LSPP audit enablement: storing selinux ocontext and scontext

Dustin Kirkland dustin.kirkland at us.ibm.com
Thu Jul 28 19:59:49 UTC 2005 

On Thu, 2005-07-28 at 15:03 -0400, Amy Griffis wrote:
> I have some comments about this patch as well, but I think I'll
> hold them until we discuss the LSPP audit requirements.  As Steve
> previously mentioned, it's really not appropriate to be looking at
> code when we haven't yet discussed what needs to be done.

I was trying the "release early, release often" approach ;)

> If you have already researched the requirements, please include a
> listing with your patch, along with an explanation of how your patch
> meets those requirements.  There is more to it than "basically
> appending object context and subject context labels to audit records".
> 
> If you haven't done any investigation, let us know, so someone can
> work up a first draft of the requirements for us to discuss.

This isn't exactly re-designing audit from the ground up...  It's adding
information to existing audit records, beyond what CAPP requires.

See the LSPP specification, section 5.1.1.2(b), copied here for your
convenience:

5.1	Security Audit (FAU)
5.1.1	Audit Data Generation (FAU_GEN.1)
5.1.1.1	
	The TSF shall be able to generate an audit record of the auditable
events listed in column “Event” of Table 1 (Auditable Events). This
includes all auditable events for the basic level of audit, except
FIA_UID.1’s user identity during failures.
5.1.1.2
	The TSF shall record within each audit record at least the following
information:
	a) Date and time of the event, type of event, subject identity, and the
outcome
	b) The sensitivity labels of subjects, objects, or information
involved; and
	c) The additional information specified in the “Details” column of
Table 1 (Auditable Events).
	
The patch submitted attempts to add (b) beyond what CAPP audit already
provides.  I was hoping for feedback on where the patch falls short
accomplishing this.  If you want to have a design discussion first,
let's begin.



:-Dustin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050728/f42c28b7/attachment.sig>

More information about the Linux-audit mailing list