best way to audit in vfs
Stephen Smalley
sds at epoch.ncsc.mil
Tue Dec 14 20:03:08 UTC 2004
On Tue, 2004-12-14 at 15:00, Timothy R. Chavez wrote:
> Hello,
>
> I've been kind of thinking about this. Presumably, we want to audit
> both failed and successful attempts in whatever vfs function we happen
> to be in. For instance, if we fall out of vfs_mkdir because
> may_create returned an error, we'd like to receive an audit message
> that said something like, "filename=myfile syscall= mkdir()
> error=<errno>.....", but, would I want to do this by hooking each
> conditional statement? Is there a better approach? The only other
> one I can think of would be to have one exit point in the functions
> and audit right before we exit...
The audit framework already lets you audit on syscall exit, which lets
you capture information like this. As I understand it, you don't need
additional hooks for that purpose, just for enabling auditing based on
object identity and for propagating audit attributes on objects.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list