From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: NetLabel audit messages Date: Fri, 22 Sep 2006 14:43:47 -0400 Message-ID: <45142EE3.4010704@hp.com> References: <45141FA4.5070901@hp.com> <200609221406.04068.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200609221406.04068.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve Grubb wrote: > On Friday 22 September 2006 13:38, Paul Moore wrote: >>In order to meet certain certification requirements, the NetLabel kernel >>subsystem needs to write a small number of audit messages. > > What are the requirements you are addressing? (I have a feeling that its > similar to what we have to do to file systems.) This is for LSPP certification, directly from our evaluator. If it is important that you know the exact requirement in CC terms I can dig that up. The basic motivation is that we need to generate an audit record whenever there is a security relevant configuration change. >>For the messages themselves, here is what I was thinking: >> >> "netlabel: op= pid= tty= comm= >> exe= uid= auid= euid= suid= >> fsuid= gid= egid= sgid= >> fsgid= [|]" > > This look very much like a syscall record...would it make sense to do this as > an aux record? It looks like this is going to be discussed on irc. -- paul moore linux security @ hp