NetLabel audit messages
Paul Moore
paul.moore at hp.com
Fri Sep 22 17:38:44 UTC 2006
In order to meet certain certification requirements, the NetLabel kernel
subsystem needs to write a small number of audit messages. From what I
can tell this is going to require a new message type as well as
agreement on the content and formatting of the messages themselves. Am
I missing anything?
For the new message type, I would like to propose the following:
#define AUDIT_NLBL 1480
For the messages themselves, here is what I was thinking:
"netlabel: <protocol> op=<operation> pid=<pid> tty=<tty> comm=<name>
exe=<path> uid=<uid> auid=<auid> euid=<euid> suid=<suid>
fsuid=<fsuid> gid=<gid> egid=<euid> sgid=<suid>
fsgid=<fsuid> [<cipsov4 extras>|<managment extras>]"
<protocol> => cipsov4 | unlabeled | management
<operation> => (for protocol == cipsov4) add | del
(for protocol == unlabeled) accept | deny
(for protocol == management) map_add | map_delete
<cipsov4 extras> => doi=<DOI #> type=<DOI type>
<DOI #> => (CIPSO DOI value, i.e. unsigned 32-bit value)
<DOI type> => std | pass
<mangement extras> => domain=<domain> protocol=<protocol> [doi=<DOI #>]
<domain> => "(domain string, i.e. foo_t)" | default
Comments and suggestions are welcome.
--
paul moore
linux security @ hp
More information about the Linux-audit
mailing list