Re: [PATCH] (for 2.3.99pre6) audit_ids system calls

From: Mark H. Wood (mwood@IUPUI.Edu)
Date: Wed May 03 2000 - 14:49:22 EST

On Tue, 2 May 2000, Rik van Riel wrote:
> On Tue, 2 May 2000, Linda Walsh wrote:
> > Alan Curry wrote:
> >
> > > So finally, you admit CAPP is a bug :)
> > ---
> > Lack of CAPP is a bug definitely, but CAPP
> > is government issue ya know...:-)
> Personally I'd rather see Linux chose for real security than
> for some paperwork issue.
> Having a security enhancement in the kernel is fine by me,
> but this sounds like it's nothing more than a paper enhancement.
> (And as such, pure bloat IMHO, but maybe Linus' opinion on this
> differs)

The people who get to decide whether others may or may not select Linux
for certain applications, think it is real.

It's really fairly simple. su changes who the system thinks you are, but
you haven't changed; you're still you. People who write auditing code
need to know who you are whenever you cause an auditable event in order to
avoid incorrectly recording events against someone else. They need to be
able to log that "Mark did X as root".

The bosses want to know Who even more than How, because they can always
grab Who and sweat the How out of him. Knowing Who also makes it easier
to trawl through the auditlog looking for more suspicious Whats.

I presume that there's some reason that auditlog analysis tools can't
chain back through layers of 'su's to find the original session logon?

Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
"Where's the kaboom?  There was supposed to be an Earth-shattering kaboom!"
	 -- Marvin Martian, 01/01/2000 00:00:00

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to Please read the FAQ at

This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:12 EST