Re: c2 (or c2-like) auditing for Linux

From: Jesse Pollard (pollardat_private)
Date: Thu Jan 30 2003 - 07:02:15 PST

  • Next message: Russell Coker: "Re: c2 (or c2-like) auditing for Linux"

    On Thursday 30 January 2003 12:55 am, Crispin Cowan wrote:
    > Question for Casey & other Orange Book folk: the above proposal
    > *assumes* that it is C2 compliant to do checks in this order:
    >    1. error checks (no audit records if they fail)
    >    2. DAC checks (audit records)
    >    3. MAC checks (audit records)
    > Does this assumption hold?
    I though it would switch 2 and 3:
    1. error checks (no audit records if they fail)
    	This refers to the request error (improper buffer, request out of range, ...)
    2. MAC checks (audit records)
    	Because some MAC checks can immediately deny access
    3. DAC checks (audit records)
    	The usual stuff.
    Note: there is still the problem of capabilities overriding evaluations of 2 
    and 3 results.
    The practical choice of order would likely depend on the frequency of failure.
    It is faster to abort an operation as early as possible, with the cautionary 
    note that if the MAC checks are done second, then it is possible to determine
    what the DAC values existing on an object without violating MAC, and hence
    providing a data leak.
    Jesse I Pollard, II
    Email: pollardat_private
    Any opinions expressed are solely my own.
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 07:04:51 PST