On Thu, 2007-02-08 at 10:48 -0800, Casey Schaufler wrote:
> --- Tomas Mraz <[EMAIL PROTECTED]> wrote:
>
>
> > Yes, that's the current one. We actually audit just
> > the case when user
> > requests a level change, not the role change.
>
> That surprises me. If roles are included in your
> security claims I would consider changing roles
> a change in the security state, and hence quite
> relevant, thus requiring audit.
>
> > We also do not audit the
> > case where the requested level is invalid.
>
> You can argue that on the basis of not auditing
> user errors ...
>
> > There is just a message
> > in /var/log/secure for that case.
>
> ... except that by doing that you're saying
> that it does matter. That's going to make it
> difficult to explain what your audit policy
> is. Not impossible, but you don't want to
> have to explain every decision along these
> lines.
Could you please open up a bug report against openssh in RH bugzilla for
that?
Thank you,
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
