Re: c2 (or c2-like) auditing for Linux

• Previous message: Chris Wright: "Re: [patch] CONFIG_SECURITY_NETWORK"
• In reply to: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"
• Next in thread: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"
• Reply: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"
• Reply: Leigh Purdie: "Re: c2 (or c2-like) auditing for Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Casey Schaufler wrote:

>Leigh Purdie wrote:
>
>>... Once the LSM hooks we need are
>>available in an operational kernel, we're hoping to move SNARE in this
>>direction.
>>    
>>
>We've been watching LSM. Hopefully some of the hostility
>the project had toward audit in the early days has worn off.
>
That is an unfair characterization. LSM *never* had any hostility 
towards audit. Rather, *Linus* is hostile towards audit, and LSM (by 
necessity) exists at Linus' pleasure. Persuade Linus that it is 
worth-while to add features to LSM that exist only to support C2-like 
audit, and I would be happy to add the hooks. As far as I can tell, no 
one else in the LSM community is hostile, either, we just chose not to 
fight that battle with Linus for you.

Caveat: adding fully compliant C2 audit hooks to LSM is very intrusive. 
IIRC, it requires roughly six times the number of file system hooks as 
the present implementation. The issue is that LSM hooks just ahead of 
actually granting access, and C2 requires hooks that detects attempts to 
access that will fail for non-security reasions. Detecting those cases 
is hard, because the Linux kernel short-circuits such error cases and 
returns failure before getting to the LSM hooks.

Don't blame me if/when Linus shows you the door, and *defintely don't* 
tell Linus that I said he should accept audit :-)

>Our own efforts have been sidetracked by our need to get
>the Altix 3000 to market, with any luck we should be able
>to get back in the swing of things sometime soon. Direct
>kernel integration is what LSM was slated to avoid, so do
>try to use it. We'll be looking at Snare real soon.
>
I agree with that: please try to use LSM for as much audit as you can. 
It is both interesting science and practical utility to see how much 
audit can be done with the existing LSM.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
			    Just say ".Nyet"

• application/pgp-signature attachment: stored

• Next message: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"
• Previous message: Chris Wright: "Re: [patch] CONFIG_SECURITY_NETWORK"
• In reply to: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"
• Next in thread: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"
• Reply: Casey Schaufler: "Re: c2 (or c2-like) auditing for Linux"
• Reply: Leigh Purdie: "Re: c2 (or c2-like) auditing for Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 15:03:04 PST