Re: c2 (or c2-like) auditing for Linux

From: Crispin Cowan (crispinat_private)
Date: Wed Jan 29 2003 - 14:13:31 PST

  • Next message: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"

    Casey Schaufler wrote:
    
    >Leigh Purdie wrote:
    >
    >>... Once the LSM hooks we need are
    >>available in an operational kernel, we're hoping to move SNARE in this
    >>direction.
    >>    
    >>
    >We've been watching LSM. Hopefully some of the hostility
    >the project had toward audit in the early days has worn off.
    >
    That is an unfair characterization. LSM *never* had any hostility 
    towards audit. Rather, *Linus* is hostile towards audit, and LSM (by 
    necessity) exists at Linus' pleasure. Persuade Linus that it is 
    worth-while to add features to LSM that exist only to support C2-like 
    audit, and I would be happy to add the hooks. As far as I can tell, no 
    one else in the LSM community is hostile, either, we just chose not to 
    fight that battle with Linus for you.
    
    Caveat: adding fully compliant C2 audit hooks to LSM is very intrusive. 
    IIRC, it requires roughly six times the number of file system hooks as 
    the present implementation. The issue is that LSM hooks just ahead of 
    actually granting access, and C2 requires hooks that detects attempts to 
    access that will fail for non-security reasions. Detecting those cases 
    is hard, because the Linux kernel short-circuits such error cases and 
    returns failure before getting to the LSM hooks.
    
    Don't blame me if/when Linus shows you the door, and *defintely don't* 
    tell Linus that I said he should accept audit :-)
    
    >Our own efforts have been sidetracked by our need to get
    >the Altix 3000 to market, with any luck we should be able
    >to get back in the swing of things sometime soon. Direct
    >kernel integration is what LSM was slated to avoid, so do
    >try to use it. We'll be looking at Snare real soon.
    >
    I agree with that: please try to use LSM for as much audit as you can. 
    It is both interesting science and practical utility to see how much 
    audit can be done with the existing LSM.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    			    Just say ".Nyet"
    
    
    
    

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module



    This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 15:03:04 PST