On Wed, 16 Feb 2005 07:52:51 PST, Casey Schaufler said: > The advice given by the NSA during our B1 > evaluation was that is was that in the case > above was that the MAC check should be done > first (because it's more important) and > because you want the audit record to report > the MAC failure whenever possible. The > team advised us that if we didn't do the MAC > check first we would have a tough row to hoe > explaining the design decision and an even > tougher time explaining that the audit of > MAC criteria had been met. Fine advice, if the LSM exits had in fact been structured that way. But the LSM hooks are where they are, and as a result not useful for auditing. As others noted, the current 2.6 kernel *does* have a separate audit framework (although it will still report DAC failures in preference to MAC failures). I admit having no good idea how to solve that issue, other than having the audit framework do a dummy LSM call to see if a MAC failure would have been reported as well if it's an audited syscall. But that's still quite high on the bletcherous scale....
This archive was generated by hypermail 2.1.3 : Wed Feb 16 2005 - 09:41:59 PST