Gary Winiger writes: > Tom, > > > I guess that you and I are in a race to see who can putback first. If you > > putback first, I'll add event generation for read_authorization actions to > > my code. If I putback first, I'd be happy to help you with code to > > generate the event. > > What's the proposed definition of this record. Where is it expected > to fit into the currently proposed set of events and records? > > AUE_smf_read_prop, subject, uauth, frmi, type, return? > Or something else? > > Gary..
Those values look good to me. Keith in a separate mail suggests that type is not needed because the property value is neither being created or modified. That sounds reasonable to me, unless you have some security related reason for logging the type. Keith, I assume that you are adding the authorization checking to the rc_node_get_property_value() function. If you are using the perm_granted() and the associated pc_* functions, then we should have all the information that we need to generate the event. Well, once my code is in place, we'll have the information. But, I'm starting to talk implementation when we're supposed to be talking architecture. So you might just say that once the SMF auditing framework is in place, an event like the one that Gary mentions will be generated for reads of restricted properties. tom
