best way to audit in vfs
Stephen Smalley
sds at epoch.ncsc.mil
Tue Dec 14 20:53:45 UTC 2004
On Tue, 2004-12-14 at 15:50, Serge E. Hallyn wrote:
> Why can't you store the info in the current->audit record until syscall
> exit, and only send a message to userspace if the syscall exit says to
> do so?
A single syscall might trigger auditing on multiple objects, e.g.
multi-component pathname lookup where multiple components are flagged
for auditing. The audit framework was designed to allow immediate
generation of partial audit records during syscall processing that would
then enable generation of a final audit record at syscall exit, with the
ability to tie them all together via the (timestamp, serial) tuples in
userspace. That is how SELinux works with the audit subsystem; SELinux
immediately generates an audit message as appropriate from its hooks,
and this triggers generation of a final audit record for the syscall
upon exit, so you might have multiple SELinux audit messages followed by
the syscall exit one.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list