Re: auditing


From: Amon Ott <ao@rsbac.org>
Subject: Re: auditing
Date: Mon, 17 Jul 2000 14:41:31 +0200

Next Article (by Date): Strange ways at t-online... Amon Ott
Previous Article (by Date): auditing "Rockee W. Shi"
Top of Thread: auditing "Rockee W. Shi"
Articles sorted by: [Date] [Author] [Subject]


On Mon, 17 Jul 2000 Rockee W. Shi wrote:
> By security auditing I mean auditing of security-relevant events.

OK. You probably know the different logging settings for RSBAC already:

- Log by request type
- Log by File/Dir/Dev target
- Log by calling user
- Log by program

With these, you can setup detailed logging e.g. of accesses to /etc/passwd or
execution of useradd.

Also, reading and setting of standard attributes is only done after a
READ_ATTRIBUTE/MODIFY_ATTRIBUTE request, which can also be logged after the
above criteria.

AUTH file cap changes are requested (and logged) as MODIFY_ATTRIBUTE requests
for attributes auth_add_f_cap and auth_remove_f_cap.

So far, the security admins have to decide what they consider as security
relevant and sensible to log. RSBAC has no builtin severeness levels.


What has not (yet) been implemented:
- Some module specific logging events, e.g. when changing an ACL. The logging
criteria for these still have to de designed. Maybe another pseudo right "log
changes"
- Standard logging setup better than "log, if denied"
- Intrusion Detection. So far, grep is you friend.

This could result in another wishlist... :)

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): Strange ways at t-online... Amon Ott
Previous Article (by Date): auditing "Rockee W. Shi"
Top of Thread: auditing "Rockee W. Shi"
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.