best way to audit in vfs
Mounir Bsaibes
bsaibes at us.ibm.com
Tue Dec 14 22:06:11 UTC 2004
What I have currently, on disk full the auditd will notify the kernel
which sets up a falg "disk_full_flag". During audit_log_start if the
disk_full_flag is set the process will be queued in a wait queue until
auditd or auditctl reset the disk_full_flag,
I can provide more details if needed. This is the general method I am
going to use to cover this CAPP requirement.
Mounir
Mounir Bsaibes
Linux Security
Tel: (512) 838-1301
Cell: (512) 762-9957
Fax: (512) 838-8858
e-mail: bsaibes at us.ibm.com
Klaus Weidner <klaus at atsec.com>
Sent by: linux-audit-bounces at redhat.com
12/14/2004 03:48 PM
Please respond to
Linux Audit Discussion
To
Chris Wright <chrisw at osdl.org>
cc
Linux Audit Discussion <linux-audit at redhat.com>
Subject
Re: best way to audit in vfs
On Tue, Dec 14, 2004 at 01:28:11PM -0800, Chris Wright wrote:
> * Klaus Weidner (klaus at atsec.com) wrote:
> > I think this is the fundamental disagreement here - if you want to
filter
> > audit records based on object identity, you need to have the object
> > identity information available when applying the filter rules. If you
> > want to do the filtering in the kernel, there isn't really any
> > alternative to storing this information in kernel space.
>
> Hmm, it's been a while since I looked at CAPP audit requirements, but
> doesn't it require action if log is full? E.g., possibly not allowing
> request to complete?
It does, but this does not need to be instantaneous. The current plan is
that auditd notifies the kernel if it detects an "out of disk space"
condition, and this will tell the kernel that it shouldn't queue any
additional records.
When the in-kernel queue is full, any system calls that need to generate
an audit record block and wait for space to become available again. (BTW,
this may be an argument against generating audit records at arbitrary
places in the kernel, since such waiting may not be possible there.)
CAPP requires that the lossage of audit data has been minimized by the
developer and clearly documented. Losing a couple of records if the disk
is full and the system then crashes is acceptable from a CAPP point of
view.
-Klaus
--
Linux-audit mailing list
Linux-audit at redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20041214/9a5e129f/attachment.htm>
More information about the Linux-audit
mailing list