[redhat-lspp] auditing under lspp
Steve Grubb
sgrubb at redhat.com
Wed Sep 21 15:58:12 UTC 2005
Hello,
I am trying to work out how the audit rules will be specified for LSPP
requirements. There are several situations that I think we should go over.
1) Does it make sense to allow auditing by type?
auditctl -a entry,always -F type=etc_t
2) auditing by category/compartment?
auditctl -a entry,always -F cat=c0
3) auditing by level?
auditctl -a entry,always -F level=s0
or ranges
auditctl -a entry,always -F level>s5
auditctl -a entry,always -F level=s2-s5
4) auditing by SE Linux users:
auditctl -a entry,always -F sel-user=system_u
5) auditing by kernel keys
auditctl key -t user -r keyring -u uid -r role -t type
6) auditing by network address or protocol (RBAC-FAU_SEL.1a)
auditctl net -f family -p proto -a addr
7) We still have the big issue of what actually does the MAC auditing. Should
these checks be done by the audit system or by SE Linux internals? If
internals, how do we insert/list/delete rules for mac auditing? It would seem
to be more efficient perhaps to do it in the SE Linux internals.
Thanks,
-Steve
More information about the redhat-lspp
mailing list