Crispin Cowan has suggested that the "next stage" should examine audit requirements, and SGI has worked hard on figuring out how to implement the "CAPP" requirements for auditing. For those of you who wonder "what might someone want for auditing requirements", I think a good place to start would be the following two documents (http://www.radium.ncsc.mil/tpep/library/protection_profiles/): * Controlled Access Protection Profile (CAPP) - this is "C2 using the Common Criteria". See in particular section 5.1.1. It requires that systems be _ABLE_ to log a number of events; what a system actually audits at any given time is configurable, (in practice systems have much of this some turned off unless there is a concern of ongoing/imminent danger), but the idea is that an attacker won't know exactly what's being audited TODAY. It also needs to be ABLE to log success _or_ failure (or both) of a given event. These events include unsuccessful reading of audit logs and "all requests to perform an operation on an object covered by the SFP". * Labeled Security Protection Profile (LSPP) - this is "B1 using the Common Criteria". It has a similar section 5.1.1 with a few additions. I'm sure that there are other events that someone might want to audit, and I'm sure not everyone would want this list. However, a system that has enough hooks to audit these events would be a good start, and you'd be able to refer to a canonical list of events to audit. At the very least, it's a good test and first step towards supporting audit. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 14:22:34 PDT