[redhat-lspp] RBAC Roles
schaufler-ca.com - Casey Schaufler
casey at schaufler-ca.com
Mon Sep 26 16:18:40 UTC 2005
Stephen Smalley <sds at tycho.nsa.gov> wrote:
> What is the more common case - non-persistent or persistent audit rules?
Real world audit useage (based on about 15 years
experiance with Solaris, Irix, and the POSIX 1003.1e/2c
group) is much like aircraft operation: Long periods
of boredom punctuated by minutes of sheer terror.
Usually the rules don't get changed much. When an
event occurs that audit is truely useful for the
parameters start getting adjusted like mad, as
the filters are tweeked and refined to track down
miscreants. This is the case where reloading the
whole policy is a problem. Often when you want a
change you want it NOW, and the information you
get is likely to result in another change that you
want NOW. Further, you often zero in on a particular
user or even a process. It seems that there might
be something amiss if you have to reload the entire
system security policy just to increase the auditing
on a particular process. Well, that's my view, and
that and $2.65 will get you a Starbucks.
------------------------
Casey Schaufler
casey at schaufler-ca.com
650.906.1780
More information about the redhat-lspp
mailing list