Re: FIle access auditing
On Wednesday 27 April 2005 21:16, Marcell Metzner <mmetzner@intergenia.de>
wrote:
> I have seen this using SE Linux or RSBAC.
> This 2 are the best I have seen till now.
One limitation of SE Linux in this regard is due to the design of the LSM
interface.
The LSM interface does not get called until after Unix permissions have been
checked. So for example if I have a process running as UID!=0 and
group!=shadow which attempts to read /etc/shadow then that operation will not
be audited by SE Linux.
RSBAC is not based on LSM and is not subject to that limitation, so it may be
able to audit such things.
However there is code in the standard kernel.org 2.6.x kernels to do this, you
need the auditctl and auditd programs and the following options in your
kernel config:
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: