LSPP Requirements -- first pass
Chris Wright
chrisw at osdl.org
Fri Jul 29 05:23:07 UTC 2005
* Amy Griffis (amy.griffis at hp.com) wrote:
> I think the next steps should be:
>
> * Determine each audit record field in our current set of possible
> records that requires a sensitivity label (marked TODO below).
I'd expect this simply expanding the notion of process (currenlty auid, uid,
gid, etc.) to include label. Hmm, I'd imagine this should include
capabilities as well. Similarly for inode, socket, ipc...
> * List where requirements necessitate changes to kernel, audit
> tools, or applications.
>
> Additionally, user attributes will now include the SELinux user
> identity and SELinux role. Is there ever a need to include that
> information in audit records generated by the audit subsystem? Or
> will all events requiring that information be logged by SELinux?
All current audit records (i.e. CAPP style) which require logging
subject/object, now simply have expanded notion of subject/object
(i.e. relevant labels). Certainly, this includes those generated from the
audit subsystem, which simply needs to query security module to get label.
I suppose one question is what format? Standard security_getprocattr
type hook to just get text is simplest.
thanks,
-chris
More information about the Linux-audit
mailing list