best way to audit in vfs
Serge E. Hallyn
serue at us.ibm.com
Tue Dec 14 21:24:47 UTC 2004
Quoting Stephen Smalley (sds at epoch.ncsc.mil):
> On Tue, 2004-12-14 at 16:09, Timothy R. Chavez wrote:
> > Yes,
> >
> > But you have the problem of incomplete logs. For testing purposes the
> > audit log should contain coherent and complete records only. What
> > about just adding a list_head to the audit_context and we can just add
> > all the necessary information about each object to that list then just
> > write-out on syscall exit?
>
> As soon as you know that the object is auditable, you presumably would
> like to have an audit record about it, even if the full operation
> doesn't complete (in fact, if you've determined that the object is
> auditable, you want to immediately verify that you can at least audit
> that information; otherwise, you may need to take some emergency action
> then, not after the operation has completed and it is too late). Note
> that your hook functions are what is determining whether or not an audit
> record should be generated (based on the object information).
Actually that's the problem - the hook functions only determine whether
the action is potentially auditable. It might only be auditable when
accessed by a certain user. Or, there might be a single user for whom
we want to audit every access. But that doesn't mean we want every access
by every user causing a partial audit record to be emitted.
Please let me know if I'm thinking wrongly...
-serge
More information about the Linux-audit
mailing list