--- Amy Griffis <[EMAIL PROTECTED]> wrote:
> Timothy R. Chavez wrote: [Fri Apr 28 2006, > 11:29:27AM EDT] > > On Fri, 2006-04-28 at 08:50 -0400, Steve Grubb > wrote: > > > I completely disagree with the current file > system auditing approach requiring > > > explicit syscall coupling. I think it is a big > problem for the security > > > community to have a tool for auditing files that > requires knowledge of > > > syscalls. > > This audit subsystem was designed around knowledge > of syscalls, to the > point that it requires the user to know whether a > particular rule > field is applicable at syscall entry or exit time. > (!) The alternative to understanding system calls is understanding the underlying security policy in detail, and in truth you'll get lost pretty quickly if you don't understand both on whatever system you're using. For audit to be complete it must be done at a low enough level that access control decisions can be observed. Since access control is deeply embedded in the system it is necessary to embed audit as well. Systems that use a explicitly modular reference monitor have an advantage, but are still constrained by the information provided them. (reference the recent "inode" vs. "pathname" discussion on LSM) It is also the case that auditing must be coupled to the action requested. I'll admit that open() is not a very informative event, and that ioctl() is even worse. But for "real intent" there is no metric. Casey Schaufler [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
