best way to audit in vfs
Chris Wright
chrisw at osdl.org
Tue Dec 14 21:07:58 UTC 2004
* Stephen Smalley (sds at epoch.ncsc.mil) wrote:
> On Tue, 2004-12-14 at 15:59, Timothy R. Chavez wrote:
> > Ok, this sounds most reasonable. Thanks
>
> What about the situation where multiple auditable objects are involved
> in the syscall, whether via multi-component pathnames, multiple pathname
> arguments to the syscall (e.g. rename, link), etc? Easier to just
> immediately generate the object information from your hook, and then tie
> all such object-based audit records to the associated syscall exit
> record via the (timestamp, serial) tuples.
Or let any of those auditable objects trigger a flush on exit.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list