From: Amon Ott <ao@rsbac.org>
Subject: Re: auditing
Date: Mon, 17 Jul 2000 14:41:31 +0200
Next Article (by Subject): AUTH module - denying CHANGE_OWNER request? pyromage@pyromage.net
Previous Article (by Subject): Re: auditing Amon Ott
Top of Thread: auditing "Rockee W. Shi"
Articles sorted by: [Date]
[Author]
[Subject]
On Mon, 17 Jul 2000 Rockee W. Shi wrote: > By security auditing I mean auditing of security-relevant events. OK. You probably know the different logging settings for RSBAC already: - Log by request type - Log by File/Dir/Dev target - Log by calling user - Log by program With these, you can setup detailed logging e.g. of accesses to /etc/passwd or execution of useradd. Also, reading and setting of standard attributes is only done after a READ_ATTRIBUTE/MODIFY_ATTRIBUTE request, which can also be logged after the above criteria. AUTH file cap changes are requested (and logged) as MODIFY_ATTRIBUTE requests for attributes auth_add_f_cap and auth_remove_f_cap. So far, the security admins have to decide what they consider as security relevant and sensible to log. RSBAC has no builtin severeness levels. What has not (yet) been implemented: - Some module specific logging events, e.g. when changing an ACL. The logging criteria for these still have to de designed. Maybe another pseudo right "log changes" - Standard logging setup better than "log, if denied" - Intrusion Detection. So far, grep is you friend. This could result in another wishlist... :) Amon. - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body.
Next Article (by Subject): AUTH module - denying CHANGE_OWNER request? pyromage@pyromage.net
Previous Article (by Subject): Re: auditing Amon Ott
Top of Thread: auditing "Rockee W. Shi"
Articles sorted by: [Date]
[Author]
[Subject]