best way to audit in vfs
Timothy R. Chavez
chavezt at gmail.com
Tue Dec 14 21:09:26 UTC 2004
Yes,
But you have the problem of incomplete logs. For testing purposes the
audit log should contain coherent and complete records only. What
about just adding a list_head to the audit_context and we can just add
all the necessary information about each object to that list then just
write-out on syscall exit?
On Tue, 14 Dec 2004 15:59:13 -0500, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
> On Tue, 2004-12-14 at 15:59, Timothy R. Chavez wrote:
> > Ok, this sounds most reasonable. Thanks
>
> What about the situation where multiple auditable objects are involved
> in the syscall, whether via multi-component pathnames, multiple pathname
> arguments to the syscall (e.g. rename, link), etc? Easier to just
> immediately generate the object information from your hook, and then tie
> all such object-based audit records to the associated syscall exit
> record via the (timestamp, serial) tuples.
>
> --
> Stephen Smalley <sds at epoch.ncsc.mil>
> National Security Agency
>
>
--
- Timothy R. Chavez
More information about the Linux-audit
mailing list