Re: c2 (or c2-like) auditing for Linux

From: Russell Coker (russellat_private)
Date: Thu Jan 30 2003 - 07:15:56 PST

  • Next message: Stephen D. Smalley: "Re: c2 (or c2-like) auditing for Linux"

    On Thu, 30 Jan 2003 16:02, Jesse Pollard wrote:
    > > Question for Casey & other Orange Book folk: the above proposal
    > > *assumes* that it is C2 compliant to do checks in this order:
    > >
    > >    1. error checks (no audit records if they fail)
    > >    2. DAC checks (audit records)
    > >    3. MAC checks (audit records)
    > >
    > > Does this assumption hold?
    > I though it would switch 2 and 3:
    > 1. error checks (no audit records if they fail)
    > 	This refers to the request error (improper buffer, request out of range,
    > ...) 2. MAC checks (audit records)
    > 	Because some MAC checks can immediately deny access
    > 3. DAC checks (audit records)
    > 	The usual stuff.
    > Note: there is still the problem of capabilities overriding evaluations of
    > 2 and 3 results.
    How can capabilities override MAC checks?  We have DAC_OVERRIDE capability but 
    no MAC_OVERRIDE...
    > The practical choice of order would likely depend on the frequency of
    > failure. It is faster to abort an operation as early as possible, with the
    In which case MAC should be done first.  For my systems I believe that the 
    vast majority of permission denied results from system calls concern /proc 
    which has little protection in DAC but lots of protection in SE Linux.  Every 
    time "ps", "top", or "lsof" are run many operations are denied.
    > cautionary note that if the MAC checks are done second, then it is possible
    > to determine what the DAC values existing on an object without violating
    > MAC, and hence providing a data leak.
    What exactly do you mean by this?
    --   My NSA Security Enhanced Linux packages  Bonnie++ hard drive benchmark    Postal SMTP/POP benchmark  My home page
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 07:17:41 PST