[Fwd: Re: [PATCH] database audit integration (Re: Some ideas in SE-PostgreSQL enhancement)]

[Matthew Booth <mbooth@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 219 bytes --]

I meant to send this to the list too.

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

[-- Attachment #2: Re: [PATCH] database audit integration (Re: Some ideas in SE-PostgreSQL enhancement).eml --]
[-- Type: message/rfc822, Size: 3150 bytes --]

From: Matthew Booth <mbooth@redhat.com>
To: KaiGai Kohei <kaigai@ak.jp.nec.com>
Subject: Re: [PATCH] database audit integration (Re: Some ideas in SE-PostgreSQL enhancement)
Date: Thu, 26 Mar 2009 07:39:39 +0000
Message-ID: <49CB313B.7020507@redhat.com>

KaiGai Kohei wrote:
> Hello,
> 
> I'm a developer of SE-PostgreSQL which is an enhancement of
> database security using SELinux. It enables to apply the
> security policy of the operating system on accesses to
> database objects also.
> It makes an access control decision and audit messages, but
> these are not written out to system audit mechanism.
> 
> I believe our preferable behavior is the system audit collects
> all the audit messages come from SELinux, not a logfile of
> PostgreSQL.
> 
> Currently, the audit-libs has an interface to write a message
> come from userspace avc, but some of parameter is not suitable
> for the reference monitor in database management system.
> 
> This patch adds a new interface as follows:
>     int audit_log_database_message(int audit_fd, int type,
>                                    const char *message,
>                                    const char *hostname,
>                                    const char *addr,
>                                    const char *dbuser);
> 
> It is differ from audit_log_user_avc_message() in the point of
> a new parameter of dbuser, instead of tty and uid.
> I don't think these are meaningful information for DBMS, but
> we would like to record what database user invokes this audit
> record.

A few points:

When I have tried to use this mechanism in the past I have found the
existing proliferation of user messages types confusing. If possible,
please don't add a new custom message to the library. Instead, maybe it
would be better to recognise that there will be continue to be new and
unanticipated uses for structured audit data, and provide an api which
allows that to be expressed.

While where may be no tty as such, the idea is still meaningful.
Specifically, one of the first things an auditor will want to know is
where the user who performed a particular action logged on from. If you
have that information, you should include it in the audit record.

A concept of a session ID would probably have meaning in this context.
If you have one, or can create one, please include it in all messages,
including login messages.

Lastly, please no freeform text! It should be possible to determine
everything relevant about an event without looking at freeform text.

I look forward to playing with this :)

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490



[-- Attachment #3: Type: text/plain, Size: 0 bytes --]