best way to audit in vfs
Timothy R. Chavez
chavezt at gmail.com
Tue Dec 14 21:33:35 UTC 2004
On Tue, 14 Dec 2004 16:22:59 -0500, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
> On Tue, 2004-12-14 at 16:24, Serge E. Hallyn wrote:
> > Actually that's the problem - the hook functions only determine whether
> > the action is potentially auditable. It might only be auditable when
> > accessed by a certain user. Or, there might be a single user for whom
> > we want to audit every access. But that doesn't mean we want every access
> > by every user causing a partial audit record to be emitted.
>
> Yes, but why can't you make the full determination in your hook
> function? At the point of the hook function, you know:
> - the current process information,
> - the object information,
> - the call site.
Well my original message I think was hinting at doing it this way?
But to do it effectively with only one hook, you'd need one exit
point, right? If you wanted to generate a complete record as soon as
you have it ready (from the VFS function) then you'd write out to the
log a one-off message from VFS... but that will completely seperate
you from syscall filtering/auditing and change the topology of VFS
and... well, I value my life ;-).
>
> It is possible that you have some complex audit configuration in mind
> that requires tying together information from multiple hooks in order to
> determine whether or not to audit the operation, but I'm not sure
> whether that is necessary.
> --
> Stephen Smalley <sds at epoch.ncsc.mil>
> National Security Agency
>
>
--
- Timothy R. Chavez
More information about the Linux-audit
mailing list