Re: c2 (or c2-like) auditing for Linux

From: Casey Schaufler (caseyat_private)
Date: Wed Jan 29 2003 - 16:51:04 PST

  • Next message: Leigh Purdie: "Re: c2 (or c2-like) auditing for Linux"

    Crispin Cowan wrote:
    > LSM *never* had any hostility towards audit.
    Err, that's NOT what it looked like from this end!
    > Rather, *Linus* is hostile towards audit, and LSM (by
    > necessity) exists at Linus' pleasure.
    My belief is that Linus is hostile to the all intrusive
    audit (referenced below) that serves no other purpose.
    This was a good incentive to suggest LSM, and was one
    of it's instigators. That LSM does not make the audit
    problem go away inplies to me that it's not as successful
    as it could have been.
    > Persuade Linus that it is
    > worth-while to add features to LSM that exist only to support C2-like
    > audit, and I would be happy to add the hooks. As far as I can tell, no
    > one else in the LSM community is hostile, either, we just chose not to
    > fight that battle with Linus for you.
    Good point, and I understand that the desire to have an
    LSM that meets those other needs should not be held back
    by a known worst case sort of feature.
    > Caveat: adding fully compliant C2 audit hooks to LSM is very intrusive.
    > IIRC, it requires roughly six times the number of file system hooks as
    > the present implementation. The issue is that LSM hooks just ahead of
    > actually granting access, and C2 requires hooks that detects attempts to
    > access that will fail for non-security reasions. Detecting those cases
    > is hard, because the Linux kernel short-circuits such error cases and
    > returns failure before getting to the LSM hooks.
    > Don't blame me if/when Linus shows you the door, and *defintely don't*
    > tell Linus that I said he should accept audit :-)
    Awe. No, I don't blame anyone. It's completely
    reasonable that those who back a cause should fight
    for it, banding with allies where it's mutually benifitial
    and accepting when they differ.
    > >Our own efforts have been sidetracked by our need to get
    > >the Altix 3000 to market, with any luck we should be able
    > >to get back in the swing of things sometime soon. Direct
    > >kernel integration is what LSM was slated to avoid, so do
    > >try to use it. We'll be looking at Snare real soon.
    > >
    > I agree with that: please try to use LSM for as much audit as you can.
    > It is both interesting science and practical utility to see how much
    > audit can be done with the existing LSM.
    We have got a "pretty close" audit for LSM. We don't yet have
    approval to release it. LSM has moved a bit since we last
    touched the audit code, and it our own fault that we're out
    of sync.
    Casey Schaufler				Manager, Trust Technology, SGI
    caseyat_private				voice: 650.933.1634
    casey_pat_private			Pager: 877.557.3184
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 16:52:29 PST