Mailinglist Archive: opensuse-security (81 mails)

< Previous Next >
Re: [suse-security] File and folder access auditing, how?
  • From: Crispin Cowan <crispin@xxxxxxxxxx>
  • Date: Sat, 04 Feb 2006 01:08:08 -0800
  • Message-id: <43E46EF8.1090201@xxxxxxxxxx>
HG wrote:
> Perhaps a different thing, but I just heard from another source that I
> should look at SELinux... is that included with Pro 9.2 or the latter?
> And does that somehow relate to file access auditing?
>
9.2 had some bits and pieces of SELinux in it, but never really fully
supported it.

With 10.0 onward, we have completely removed SELinux, and replaced it
with AppArmor http://www.opensuse.org/Apparmor which is much easier to
use than SELinux.

AppArmor and SELinux are access control systems, which are kinda related
to audit systems, but not exactly the same:

* Audit systems need to record lots of data, and access control
systems don't always have all that data to hand.
* Access control systems need to figure out what is being requested
early enough to stop it from happening, while audit systems can
just note that it happened, even after the fact.

So whether to blend an access control system with an audit system is
something of an architectural question we are still working on.

>> 9.1 / SLES 9 has a EAL4+/CAPP capable audit system doing all you might
>> want ... For 10.1 / SLES 10 this is planned too.
>>
> Unfortunately we are running the Pro 9.2 and are looking to upgrading
> to 10.X (probably wait for the 10.1). I do not think we are going for
> SLES... rather we might go for the OSS.
AppArmor is included in SL10.0, SL10.1, and SLES9SP3. I'm less sure of
where the audit systems are included, but I would suspect all of them.

Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Olympic Games: The Bi-Annual Festival of Corruption


< Previous Next >
Follow Ups
References