best way to audit in vfs
Stephen Smalley
sds at epoch.ncsc.mil
Tue Dec 14 21:12:55 UTC 2004
On Tue, 2004-12-14 at 16:09, Timothy R. Chavez wrote:
> Yes,
>
> But you have the problem of incomplete logs. For testing purposes the
> audit log should contain coherent and complete records only. What
> about just adding a list_head to the audit_context and we can just add
> all the necessary information about each object to that list then just
> write-out on syscall exit?
As soon as you know that the object is auditable, you presumably would
like to have an audit record about it, even if the full operation
doesn't complete (in fact, if you've determined that the object is
auditable, you want to immediately verify that you can at least audit
that information; otherwise, you may need to take some emergency action
then, not after the operation has completed and it is too late). Note
that your hook functions are what is determining whether or not an audit
record should be generated (based on the object information).
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list