New Audit types
Steve Grubb
sgrubb at redhat.com
Wed Nov 2 17:10:42 UTC 2005
On Wednesday 02 November 2005 11:43, Matt Anderson wrote:
>Here are the four types that were required for Cups
>
> AUDIT_LABELED_EXPORT
> AUDIT_UNLABELED_EXPORT
Just a generic question -- do we need to patch cat, cp, rsync, scp, star, ...
to have these, too?
What if they do:
file=`cat secret`
echo $file > /mnt/unlabeled-device/file
Would it be reasonable to expect the shell script trigger this event? If so,
would we need to patch all these apps or should this be done via kernel
mechanism? If catching this is reasonable...what about anything else like
perl, python, expect, etc.
> AUDIT_LABEL_OVERRIDE
> AUDIT_LABELED_LEVEL_CHANGE
These seem to be user space oriented, so I'll add these to libaudit.h.
I think we also need these:
AUDIT_LABELED_IMPORT
AUDIT_UNLABELED_IMPORT
But as to whether they are kernel or userspace message types will depend on
discussing the first paragraph.
-Steve
More information about the Linux-audit
mailing list