best way to audit in vfs
Stephen Smalley
sds at epoch.ncsc.mil
Tue Dec 14 21:32:14 UTC 2004
On Tue, 2004-12-14 at 16:33, Timothy R. Chavez wrote:
> Well my original message I think was hinting at doing it this way?
> But to do it effectively with only one hook, you'd need one exit
> point, right?
No. You just need to:
1) have your hook function decide whether auditing is required,
2) if so, have it emit a partial audit record with information not
available at syscall exit,
3) this will automatically enable auditing upon syscall exit
And your audit hook can be called very early, as soon as you have the
object available.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list