From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: [Fwd: Re: [PATCH] database audit integration (Re: Some ideas in SE-PostgreSQL enhancement)] Date: Thu, 26 Mar 2009 19:54:51 +0000 Message-ID: <49CBDD8B.5010800@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------030807060602030702050801" Return-path: Received: from mbooth.laptop (vpn-6-14.fab.redhat.com [10.33.6.14]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n2QJsqK4012942 for ; Thu, 26 Mar 2009 15:54:53 -0400 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --------------030807060602030702050801 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit I meant to send this to the list too. Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --------------030807060602030702050801 Content-Type: message/rfc822; name="Re: [PATCH] database audit integration (Re: Some ideas in SE-PostgreSQL enhancement).eml" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename*0="Re: [PATCH] database audit integration (Re: Some ideas in SE"; filename*1="-PostgreSQL enhancement).eml" Message-ID: <49CB313B.7020507@redhat.com> Date: Thu, 26 Mar 2009 07:39:39 +0000 From: Matthew Booth Organization: Red Hat User-Agent: Thunderbird 2.0.0.21 (X11/20090320) MIME-Version: 1.0 To: KaiGai Kohei Subject: Re: [PATCH] database audit integration (Re: Some ideas in SE-PostgreSQL enhancement) References: <49C7667A.3020804@ak.jp.nec.com> <49C7A88E.4020408@rubix.com> <49C84200.9090107@ak.jp.nec.com> <49C9D524.9050208@ak.jp.nec.com> <49CB1C7A.2050206@ak.jp.nec.com> In-Reply-To: <49CB1C7A.2050206@ak.jp.nec.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit KaiGai Kohei wrote: > Hello, > > I'm a developer of SE-PostgreSQL which is an enhancement of > database security using SELinux. It enables to apply the > security policy of the operating system on accesses to > database objects also. > It makes an access control decision and audit messages, but > these are not written out to system audit mechanism. > > I believe our preferable behavior is the system audit collects > all the audit messages come from SELinux, not a logfile of > PostgreSQL. > > Currently, the audit-libs has an interface to write a message > come from userspace avc, but some of parameter is not suitable > for the reference monitor in database management system. > > This patch adds a new interface as follows: > int audit_log_database_message(int audit_fd, int type, > const char *message, > const char *hostname, > const char *addr, > const char *dbuser); > > It is differ from audit_log_user_avc_message() in the point of > a new parameter of dbuser, instead of tty and uid. > I don't think these are meaningful information for DBMS, but > we would like to record what database user invokes this audit > record. A few points: When I have tried to use this mechanism in the past I have found the existing proliferation of user messages types confusing. If possible, please don't add a new custom message to the library. Instead, maybe it would be better to recognise that there will be continue to be new and unanticipated uses for structured audit data, and provide an api which allows that to be expressed. While where may be no tty as such, the idea is still meaningful. Specifically, one of the first things an auditor will want to know is where the user who performed a particular action logged on from. If you have that information, you should include it in the audit record. A concept of a session ID would probably have meaning in this context. If you have one, or can create one, please include it in all messages, including login messages. Lastly, please no freeform text! It should be possible to determine everything relevant about an event without looking at freeform text. I look forward to playing with this :) Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --------------030807060602030702050801 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --------------030807060602030702050801--