[cap-talk] Horton vs. ACLs - private namespaces and the Audit Problem

Jed Donnelley jed at nersc.gov
Tue Oct 9 13:57:47 EDT 2007 

On 10/9/2007 10:28 AM, Karp, Alan H wrote:
> Jed wrote:
>> I know our main tool in this regard in our NLTSS work
>> (
>> http://en.wikipedia.org/wiki/NLTSS
>> )
>> was logging messages.  Since every authorization and every
>> exercise of an authority (e.g. what are typically referred
>> to as "system calls" on conventional systems) flowed over a
>> message, by logging all the messages we were able to see all
>> authorizations and any exercise of an authority.
> 
> Client Utility and e-speak also worked this way.

Isn't is a delightful environment?  I always felt that
with such logs I could see literally everything that
went on in the system.  Certainly everything that is
meaningful at a "system" level (between trust boundaries).

Perhaps you can see why, for me, language level issues
were below my radar.  They didn't enforce trust boundaries,
so I didn't care about them.  If they do enforce trust
boundaries then from my perspective they become "OS"
level issues with the full range of OS level enforcement,
accounting, etc. requirements.

>> I don't really see how one can do much better?  Is there
>> some reason such logs don't suffice for the "audit problem"?
>> Of course there is a certain amount of overhead with such
>> logging.  Because of that we generally didn't leave full
>> logging on all the time.  
> 
> We used a publish/subscribe (actually publish/distribute/subscribe)
> system.  If there were no subscribers for a particular logging event, we
> didn't publish it.  That let us leave logging on all the time since many
> low-level events rarely had subscribers.

I'm interested to hear more about the Client Utility/e-speak
"subscription" mechanism, perhaps some time when we are talking?.
E.g. "who" was authorized to subscript to which logging events
and how was that authorization managed.  If you feel such a discussion
might interest others, feel free to describe it here or just
point me to any available documentation or wait until we get
a chance to talk again.

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list