| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5436127.FQ1IkbQgGc@sifl> Date: Fri, 07 Aug 2015 10:22:18 -0400 From: Paul Moore <pmoore@...hat.com> To: Casey Schaufler <casey@...aufler-ca.com> Cc: Steve Grubb <sgrubb@...hat.com>, Richard Guy Briggs <rgb@...hat.com>, linux-audit@...hat.com, linux-kernel@...r.kernel.org Subject: Re: [PATCH V4 (was V6)] audit: use macros for unset inode and device values On Thursday, August 06, 2015 02:31:57 PM Casey Schaufler wrote: > I remember the Orange Book days when we were *required* to audit by > dev/inode because it was the only true way to identify the object. Yes, > it's analogous to auditing the pid, but we had to audit by that, too. The > dev/indode and pid are the "true" names. Anything else is a hint at what > you're looking at. I can easily imaging someone who really cares about the > audit data supplying the dev/inode and pid. Just to add a bit of clarity, my original question was if there was any value in exposing the unset/invalid device and inode values, e.g. -1. While I agree that there is value in auditing by dev/inode, I can't think of a reasonable situation where the user would need to pass an unset/invalid device and/or inode value into the kernel as part of an audit configuration command. -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists