From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Dennis Subject: Re: [PATCH] database audit integration (Re: Some ideas in SE-PostgreSQL enhancement) Date: Thu, 26 Mar 2009 17:45:08 -0400 Message-ID: <49CBF764.5000505@redhat.com> References: <49C7667A.3020804@ak.jp.nec.com> <49C7A88E.4020408@rubix.com> <49C84200.9090107@ak.jp.nec.com> <49C9D524.9050208@ak.jp.nec.com> <49CB1C7A.2050206@ak.jp.nec.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <49CB1C7A.2050206@ak.jp.nec.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: KaiGai Kohei Cc: linux-audit@redhat.com, selinux List-Id: linux-audit@redhat.com KaiGai Kohei wrote: > Hello, > > I'm a developer of SE-PostgreSQL which is an enhancement of > database security using SELinux. It enables to apply the > security policy of the operating system on accesses to > database objects also. > It makes an access control decision and audit messages, but > these are not written out to system audit mechanism. > > I believe our preferable behavior is the system audit collects > all the audit messages come from SELinux, not a logfile of > PostgreSQL. > > Currently, the audit-libs has an interface to write a message > come from userspace avc, but some of parameter is not suitable > for the reference monitor in database management system. > In the past it has been stated the kernel audit system is not appropriate for general application logging because the kernel audit system is not easily extensible and is not the place to log general application data. While it is true the kernel audit system does allow for some user level application logging by design and intention it is constrained to select events deemed worthy of exception. There is a new project called IPA (Identity, Policy, Audit) under development. IPA v1 has been released, but the initial v1 release focused only on the "I" part of IPA. In v2 we plan on filling out the "P" and "A" parts. One of the things we're introducing for the Audit component is a library called ELAPI (Event Logging API) which allows applications to generate logging event data which is recursively structured with key/value pairs (which can also be reformatted into traditional strings). The library is capable of "dispatching" the structured events to a variety of destination "sinks" (i.e. syslog, file, IPA central logging repository, etc.). The destination sink processing is accomplished with loadable plugin's so it should be easy to to support any destination you want once you start utilizing the ELAPI to log information. We had been planning on adding the kernel audit system as a possible destination sink until the philosophy in the above paragraph was pointed out to us. ELAPI can be installed independent of IPA. I just went looking for external documentation on ELAPI but it appears as though the ELAPI documentation is only on a non-public wiki at the moment. I will try to get that issue fixed shortly. ELAPI is still in development, although I would say it's reaching the point of an alpha release. Thus you may want to consider ELAPI for logging Secure Postgresql messages and we would be interested in having you as a third party review and exercise the library. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/