From mboxrd@z Thu Jan  1 00:00:00 1970
From: Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [redhat-lspp] Watch question
Date: Mon, 1 May 2006 12:56:37 -0700 (PDT)
Message-ID: <20060501195637.65996.qmail@web36601.mail.mud.yahoo.com>
References: <20060501192543.GA24222@zk3.dec.com>
Reply-To: casey@schaufler-ca.com
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k41Juj6g006661
	for <linux-audit@redhat.com>; Mon, 1 May 2006 15:56:45 -0400
Received: from web36601.mail.mud.yahoo.com (web36601.mail.mud.yahoo.com
	[209.191.85.18])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with SMTP id
	k41JugJ3028165
	for <linux-audit@redhat.com>; Mon, 1 May 2006 15:56:42 -0400
In-Reply-To: <20060501192543.GA24222@zk3.dec.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Amy Griffis <amy.griffis@hp.com>, redhat-lspp@redhat.com
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com



--- Amy Griffis <amy.griffis@hp.com> wrote:

> Timothy R. Chavez wrote:     [Fri Apr 28 2006,
> 11:29:27AM EDT]
> > On Fri, 2006-04-28 at 08:50 -0400, Steve Grubb
> wrote:
> > > I completely disagree with the current file
> system auditing approach requiring=20
> > > explicit syscall coupling. I think it is a big
> problem for the security=20
> > > community to have a tool for auditing files that
> requires knowledge of=20
> > > syscalls.=20
>=20
> This audit subsystem was designed around knowledge
> of syscalls, to the
> point that it requires the user to know whether a
> particular rule
> field is applicable at syscall entry or exit time.
> (!)

The alternative to understanding system calls is
understanding the underlying security policy in
detail, and in truth you'll get lost pretty
quickly if you don't understand both on whatever
system you're using. For audit to be complete it
must be done at a low enough level that access
control decisions can be observed. Since access
control is deeply embedded in the system it is
necessary to embed audit as well. Systems that
use a explicitly modular reference monitor have
an advantage, but are still constrained by the
information provided them. (reference the recent
"inode" vs. "pathname" discussion on LSM)

It is also the case that auditing must be coupled
to the action requested. I'll admit that open()
is not a very informative event, and that ioctl()
is even worse. But for "real intent" there is no
metric.


Casey Schaufler
casey@schaufler-ca.com