[RFC 1/1] NetLabel: add audit support for configuration changes
Paul Moore
paul.moore at hp.com
Thu Sep 28 14:27:08 UTC 2006
Linda Knippers wrote:
> Thanks for sending the audit records.
>
>> # netlabelctl unlbl accept on
>>
>>type=UNKNOWN[1406] msg=audit(1159362394.806:420): netlabel: module=unlbl
>>action=accept auid=0 uid=0 euid=0 tty=pts0 pid=6711 comm="netlabelctl"
>>exe="/usr/local/sbin/netlabelctl"
>>
>> (there is also an audit message for "unlbl accept off" which changes
>> "action=accept" to "action=deny")
>
> One nit-picky comment is that once the user-space tools know about the
> message type and insert "MAC_UNLBL_ACCEPT" as the type, the module=
> and action= fields will be somewhat redundant. I think the same is
> true for the other types of audit records. You could omit the switch
> statement in netlbl_audit_start_common() and shorten the audit records
> if we rely on the audit record type to provide that module/action information.
I've received similar comments from others as well, I plan on dropping
those two fields in the next release of the patch. Speaking on which, I
should have the next release out later today, I'm just waiting on some
feedback to see if it meets all of the LSPP certification requirements.
--
paul moore
linux security @ hp
More information about the Linux-audit
mailing list