Casey Schaufler wrote: >Leigh Purdie wrote: > >>... Once the LSM hooks we need are >>available in an operational kernel, we're hoping to move SNARE in this >>direction. >> >> >We've been watching LSM. Hopefully some of the hostility >the project had toward audit in the early days has worn off. > That is an unfair characterization. LSM *never* had any hostility towards audit. Rather, *Linus* is hostile towards audit, and LSM (by necessity) exists at Linus' pleasure. Persuade Linus that it is worth-while to add features to LSM that exist only to support C2-like audit, and I would be happy to add the hooks. As far as I can tell, no one else in the LSM community is hostile, either, we just chose not to fight that battle with Linus for you. Caveat: adding fully compliant C2 audit hooks to LSM is very intrusive. IIRC, it requires roughly six times the number of file system hooks as the present implementation. The issue is that LSM hooks just ahead of actually granting access, and C2 requires hooks that detects attempts to access that will fail for non-security reasions. Detecting those cases is hard, because the Linux kernel short-circuits such error cases and returns failure before getting to the LSM hooks. Don't blame me if/when Linus shows you the door, and *defintely don't* tell Linus that I said he should accept audit :-) >Our own efforts have been sidetracked by our need to get >the Altix 3000 to market, with any luck we should be able >to get back in the swing of things sometime soon. Direct >kernel integration is what LSM was slated to avoid, so do >try to use it. We'll be looking at Snare real soon. > I agree with that: please try to use LSM for as much audit as you can. It is both interesting science and practical utility to see how much audit can be done with the existing LSM. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet"
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 15:03:04 PST