best way to audit in vfs
Timothy R. Chavez
chavezt at gmail.com
Tue Dec 14 20:59:09 UTC 2004
Serge,
Ok, this sounds most reasonable. Thanks
-Tim
On Tue, 14 Dec 2004 14:50:14 -0600, Serge E. Hallyn <serue at us.ibm.com> wrote:
> Tim,
>
> Why can't you store the info in the current->audit record until syscall
> exit, and only send a message to userspace if the syscall exit says to
> do so?
>
> -serge
>
> Quoting Timothy R. Chavez (chavezt at gmail.com):
> > Stephen,
> >
> > Yes I've also been giving that some thought too. How we split up
> > responsibility. If we do as you suggested, we'd simply have to piece
> > together each log message in userspace with the appropriate timestamp
> > and serial number to get the full record. Still there would need to
> > be a hook there that gave the piece of the record the syscall couldn't
> > create, that is, the "filename=%s filterkey=%s (which could be used in
> > userspace to index a table that will return the full path location
> > that filename completes or whatever)", right? Plus the hooks to
> > assign "auditability" to those filenames that appear in our
> > watchlists. Anyway, this approach is reasonable. I'll just figure
> > out this route and leave it up to userspace to stich the complete
> > record together.
> >
> > (send this privately by accident)
> >
> > On Tue, 14 Dec 2004 15:03:08 -0500, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
> > > On Tue, 2004-12-14 at 15:00, Timothy R. Chavez wrote:
> > > > Hello,
> > > >
> > > > I've been kind of thinking about this. Presumably, we want to audit
> > > > both failed and successful attempts in whatever vfs function we happen
> > > > to be in. For instance, if we fall out of vfs_mkdir because
> > > > may_create returned an error, we'd like to receive an audit message
> > > > that said something like, "filename=myfile syscall= mkdir()
> > > > error=<errno>.....", but, would I want to do this by hooking each
> > > > conditional statement? Is there a better approach? The only other
> > > > one I can think of would be to have one exit point in the functions
> > > > and audit right before we exit...
> > >
> > > The audit framework already lets you audit on syscall exit, which lets
> > > you capture information like this. As I understand it, you don't need
> > > additional hooks for that purpose, just for enabling auditing based on
> > > object identity and for propagating audit attributes on objects.
> > >
> > > --
> > > Stephen Smalley <sds at epoch.ncsc.mil>
> > > National Security Agency
> > >
> > >
> >
> >
> > --
> > - Timothy R. Chavez
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > http://www.redhat.com/mailman/listinfo/linux-audit
> >
>
--
- Timothy R. Chavez
More information about the Linux-audit
mailing list