Re: FIle access auditing

To: debian-security@lists.debian.org
Cc: Marcell Metzner <mmetzner@intergenia.de>, Raffaele D'Elia <r.delia@starcomitalia.com>
Subject: Re: FIle access auditing
From: Russell Coker <russell@coker.com.au>
Date: Mon, 2 May 2005 17:26:31 +1000
Message-id: <[🔎] 200505021726.36209.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <426F747E.5000801@intergenia.de>
References: <426F7304.6050000@starcomitalia.com> <426F747E.5000801@intergenia.de>

On Wednesday 27 April 2005 21:16, Marcell Metzner <mmetzner@intergenia.de> 
wrote:
> I have seen this using SE Linux or RSBAC.
> This 2 are the best I have seen till now.

One limitation of SE Linux in this regard is due to the design of the LSM 
interface.

The LSM interface does not get called until after Unix permissions have been 
checked.  So for example if I have a process running as UID!=0 and 
group!=shadow which attempts to read /etc/shadow then that operation will not 
be audited by SE Linux.

RSBAC is not based on LSM and is not subject to that limitation, so it may be 
able to audit such things.

However there is code in the standard kernel.org 2.6.x kernels to do this, you 
need the auditctl and auditd programs and the following options in your 
kernel config:
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Prev by Date: dhcp delivered subnet broadcast address: 255.255.255.255
Next by Date: Re: Fixing stupid PHP application design flaws
Previous by thread: dhcp delivered subnet broadcast address: 255.255.255.255
Next by thread: Re: Fixing stupid PHP application design flaws
Index(es):
- Date
- Thread