Re: State of Audit Proposal ?

• Previous message: Chris Wright: "Re: Patch: Socket hooks"
• In reply to: Casey Schaufler: "Re: State of Audit Proposal ?"
• Next in thread: Crispin Cowan: "Re: State of Audit Proposal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Casey is right here.  On a number of MLS systems lots of audit messages
will be generated via DAC failures when no one is really trying to
probe/break the system.  Various commands may attempt to access an
object and if it is successful then do something that is entirely within
the authorization of the command.  If it fails the access it does
something else.  If DAC failure is being audited an audit entry is made
that someone will have to evaluate so some sites may not audit DAC until
they are sure something is going on.  On the other hand when someone
attempts to access an object to which they do not have the proper MAC
access, that is cause for concern and so they want to audit those
actions.

Mike

Casey Schaufler wrote:
> 
> Crispin Cowan wrote:
> 
> > I'm trying and failing to contrive a scenario in which it is a Big Deal that an
> > attacker:
> >
> >    * has a shell on a critical system
> >    * is probing the security configuration looking for weakness
> >    * would be blocked by both DAC and MAC
> >    * auditing/host IDS is configured to raise alarms if MAC violations are attempted
> >    * auditing/host IDS is NOT configured to raise alarms if DAC violations are
> >      attempted
> 
> Your scenario has a couple assumptions which constrain it unduly.
> You're assuming malace with "is probing ...", which is not
> required for the situation to be interesting. You're assuming
> that DAC is considered important at all when in many installations
> it's not, to the point that auditing is really disabled for DAC
> checks. The only situation they care about is a MAC violation,
> and they're not watching DAC so as to reduce the audit output to
> managable levels.
> 
> --
> 
> Casey Schaufler                         Manager, Trust Technology, SGI
> caseyat_private                           voice: 650.933.1634
> casey_pat_private                   Pager: 888.220.0607
> 
> _______________________________________________
> linux-security-module mailing list
> linux-security-moduleat_private
> http://mail.wirex.com/mailman/listinfo/linux-security-module

-- 

Mikel L. Matthews
V.P. and Chief Engineer
Argus Systems Group, Inc.		www.argus-systems.com
(217) 355-6308

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: David Wagner: "Re: MAC before DAC vs DAC before MAC"
• Previous message: Chris Wright: "Re: Patch: Socket hooks"
• In reply to: Casey Schaufler: "Re: State of Audit Proposal ?"
• Next in thread: Crispin Cowan: "Re: State of Audit Proposal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 13:41:10 PDT