--- Tomas Mraz <[EMAIL PROTECTED]> wrote:
> Yes, that's the current one. We actually audit just > the case when user > requests a level change, not the role change. That surprises me. If roles are included in your security claims I would consider changing roles a change in the security state, and hence quite relevant, thus requiring audit. > We also do not audit the > case where the requested level is invalid. You can argue that on the basis of not auditing user errors ... > There is just a message > in /var/log/secure for that case. ... except that by doing that you're saying that it does matter. That's going to make it difficult to explain what your audit policy is. Not impossible, but you don't want to have to explain every decision along these lines. Casey Schaufler [EMAIL PROTECTED] -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
