[RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing

[Timothy R. Chavez]

Hello,

.:: Introduction ::.

In its present state, the Linux audit subsystem cannot be used in a Common 
Criteria (ISO/IEC 15408)[1] CAPP/EAL4+[2] evaluation.  This patch addresses a 
blocking deficiency in the current implementation regarding the inability to 
audit file system objects by "name".   Currently, one is limited to using a 
(inode,device) filter rule to audit syscall access to the object.  This is 
insufficient for CAPP because (1) the object is not being audited or 
identified by "name" nor (2) will it remain auditable if the underlying inode 
changes.  What follows from this requirement is the ability to better observe 
the _behavior_ of the object.

Here is a relevant example show casing the deficiency:

The administrator audits "/etc/shadow".  To do so, she adds the filter rule 
using "/etc/shadow"'s inode and device.  She then runs 'passwd' and changes 
her password.  She gives a cusory glance at the audit log and sees that some 
records have been generated.  However, she runs 'passwd' again, checks the 
log, and sees that no new records have been generated.  She does an 'ls 
-i /etc/shadow' and notices that the inode has changed.  Upon closer 
inspection of the audit log, she realizes that what's there is actually 
incomplete; audit records were lost due to the inode change before 'passwd' 
completed execution.

The patch is broken into two parts.

Part 1: The actual implementation of the file system auditing piece
Part 2: The hooks

+ + + +

[1] Common Criteria is an internationally recognized ISO centered around IT 
security evaluations (http://csrc.nist.gov/cc/)
[2] CAPP/EAL4 (Controlled Access Protection Profile)/Evaluation Assurance 
Level 4+ is for generalized environments with a moderate level of risk to the 
assets.  For more information about CAPP requirements: 
http://www.commoncriteriaportal.org/public/files/ppfiles/capp.pdf)

-tim