[redhat-lspp] Watch question

[Casey Schaufler]

--- Amy Griffis <amy.griffis at hp.com> wrote:

> Timothy R. Chavez wrote:     [Fri Apr 28 2006,
> 11:29:27AM EDT]
> > On Fri, 2006-04-28 at 08:50 -0400, Steve Grubb
> wrote:
> > > I completely disagree with the current file
> system auditing approach requiring 
> > > explicit syscall coupling. I think it is a big
> problem for the security 
> > > community to have a tool for auditing files that
> requires knowledge of 
> > > syscalls. 
> 
> This audit subsystem was designed around knowledge
> of syscalls, to the
> point that it requires the user to know whether a
> particular rule
> field is applicable at syscall entry or exit time.
> (!)

The alternative to understanding system calls is
understanding the underlying security policy in
detail, and in truth you'll get lost pretty
quickly if you don't understand both on whatever
system you're using. For audit to be complete it
must be done at a low enough level that access
control decisions can be observed. Since access
control is deeply embedded in the system it is
necessary to embed audit as well. Systems that
use a explicitly modular reference monitor have
an advantage, but are still constrained by the
information provided them. (reference the recent
"inode" vs. "pathname" discussion on LSM)

It is also the case that auditing must be coupled
to the action requested. I'll admit that open()
is not a very informative event, and that ioctl()
is even worse. But for "real intent" there is no
metric.


Casey Schaufler
casey at schaufler-ca.com