[redhat-lspp] Fwd: suggestions

[Timothy R. Chavez]

Ok here's what Steve had suggested.  George initially approved the
first 5.  If you're interested any of the others, pass it by George.

-tim

----------  Forwarded Message  ----------

Subject: suggestions
Date: Monday 24 October 2005 13:25
From: Steve Grubb <sgrubb at redhat.com>
To: "Timothy R. Chavez" <tinytim at us.ibm.com>

Ok here's a few...

1) add subject information to any user space originating audit message (Tim)
2) make all kernel config changes conform to:  auid=%lu act='action' 
res=success/fail
3) Loading MAC policy is auditable event. Send config changed message
4) Service discontinuity is auditable event. (R/FPT_RCV.1) In other words when 
se linux is disabled. "setenforce 0" audit message should be generated when 
it changes state.
5) make all audit system hooks use the inline function technique for hooking. 
This helps performance. Coordinate with David since he may have already 
started into this one. (Dustin)
^^^^^^^
Tim's Note:  Not sure what David's actually done here.



Not necessarily LSPP, but some quickies:
6) review kernel messages to ensure success & failure is always indicated. 
This includes changing audit params and inserting watches/rules. Create a 
standard logging function to ensure conformance to format.
7) rlimit violations are auditable. Going over or attempting to increase.
8) diskspace quota needs audit enhancement
9) Ethernet going into promiscuous mode is auditable

Longer items: 
10) Ability to track child processes.
11) Trusted Path

-Steve



-------------------------------------------------------