NetLabel audit messages
Paul Moore
paul.moore at hp.com
Fri Sep 22 18:43:47 UTC 2006
Steve Grubb wrote:
> On Friday 22 September 2006 13:38, Paul Moore wrote:
>>In order to meet certain certification requirements, the NetLabel kernel
>>subsystem needs to write a small number of audit messages.
>
> What are the requirements you are addressing? (I have a feeling that its
> similar to what we have to do to file systems.)
This is for LSPP certification, directly from our evaluator. If it is
important that you know the exact requirement in CC terms I can dig that
up. The basic motivation is that we need to generate an audit record
whenever there is a security relevant configuration change.
>>For the messages themselves, here is what I was thinking:
>>
>> "netlabel: <protocol> op=<operation> pid=<pid> tty=<tty> comm=<name>
>> exe=<path> uid=<uid> auid=<auid> euid=<euid> suid=<suid>
>> fsuid=<fsuid> gid=<gid> egid=<euid> sgid=<suid>
>> fsgid=<fsuid> [<cipsov4 extras>|<managment extras>]"
>
> This look very much like a syscall record...would it make sense to do this as
> an aux record?
It looks like this is going to be discussed on irc.
--
paul moore
linux security @ hp
More information about the Linux-audit
mailing list