From: Casey Schaufler <casey@schaufler-ca.com>
To: Amy Griffis <amy.griffis@hp.com>, redhat-lspp@redhat.com
Cc: linux-audit@redhat.com
Subject: Re: [redhat-lspp] Watch question
Date: Mon, 1 May 2006 12:56:37 -0700 (PDT) [thread overview]
Message-ID: <20060501195637.65996.qmail@web36601.mail.mud.yahoo.com> (raw)
In-Reply-To: <20060501192543.GA24222@zk3.dec.com>
--- Amy Griffis <amy.griffis@hp.com> wrote:
> Timothy R. Chavez wrote: [Fri Apr 28 2006,
> 11:29:27AM EDT]
> > On Fri, 2006-04-28 at 08:50 -0400, Steve Grubb
> wrote:
> > > I completely disagree with the current file
> system auditing approach requiring
> > > explicit syscall coupling. I think it is a big
> problem for the security
> > > community to have a tool for auditing files that
> requires knowledge of
> > > syscalls.
>
> This audit subsystem was designed around knowledge
> of syscalls, to the
> point that it requires the user to know whether a
> particular rule
> field is applicable at syscall entry or exit time.
> (!)
The alternative to understanding system calls is
understanding the underlying security policy in
detail, and in truth you'll get lost pretty
quickly if you don't understand both on whatever
system you're using. For audit to be complete it
must be done at a low enough level that access
control decisions can be observed. Since access
control is deeply embedded in the system it is
necessary to embed audit as well. Systems that
use a explicitly modular reference monitor have
an advantage, but are still constrained by the
information provided them. (reference the recent
"inode" vs. "pathname" discussion on LSM)
It is also the case that auditing must be coupled
to the action requested. I'll admit that open()
is not a very informative event, and that ioctl()
is even worse. But for "real intent" there is no
metric.
Casey Schaufler
casey@schaufler-ca.com
next prev parent reply other threads:[~2006-05-01 19:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <44514966.3080900@us.ibm.com>
[not found] ` <200604280850.15745.sgrubb@redhat.com>
[not found] ` <1146238168.24265.51.camel@localhost.localdomain>
2006-05-01 19:25 ` Watch question Amy Griffis
2006-05-01 19:56 ` Casey Schaufler [this message]
2006-05-01 20:24 ` [redhat-lspp] " Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060501195637.65996.qmail@web36601.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=redhat-lspp@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox