[Secureaudit-general] More information on SAL...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi all,
I'm new to this SAL project, and have just been basically through the 
SAL documentation ("SAL Software Design Document 1.0"). There seems to 
be a bunch of interesting ideas, the best auditing system I've been 
looking at so far...
However, I have a few questions I hope somebody might care to answer.

*************
- Regarding legal evidence:
The document says that logs produced by computers are not admissible as 
evidence unless it can be shown that they have not been modified.

==> is this a requirement specific to the U.S, or a general requirement 
from C2 specs ? (I think it's the first).

==> to my understanding, this is not exactly true. I had the feeling 
that the court retained evidence with different levels of trust 
regarding the evidence. For instance a signed text would have more 
impact than unsigned text, but all texts were admissible in front of the 
court. I am unsure of this. Any feedback ?
And as a matter of fact, I had also heard of cases where computer data 
had been retained as legal evidence, though that data did not have any 
digital signature for instance. Have you heard this too ? Have laws 
changed since ?

==> more exactly, do you mean somebody has to prove computer data has 
not been modified (-- meaning it is unfeasible without detection), or do 
you mean for data not be retained as evidence one should prove it has 
been modified ? can you provide more references about those facts ?

**************
- about the "little files" that are kept on the client before being sent 
to the logging server:
===> are they digitally signed ? wouldn't it be possible for an intruder 
to corrupt those files before they get sent to the logging server ?

**************
- performance issues:
==> I want to make sure. If the audit daemon is stopped (auditd) on the 
client, then actually, the system calls continue to be audited and to 
fill the kernel buffer space allocated for this. If the daemon is 
stopped too long, then audited data may be lost. On the other hand, if 
the audit daemon is restarted
before the buffer is filled, then actually nothing is lost. Right ?

==> there seem to have been some benchmark tests. Would it possible to 
publish those results ? What's the overhead induced by SAL ? how were 
the benchmarks performed ?

Regards,
Axelle.