best way to audit in vfs
Leigh Purdie
Leigh.Purdie at intersectalliance.com
Tue Dec 14 22:47:38 UTC 2004
On Tue, 2004-12-14 at 15:42 -0600, Serge E. Hallyn wrote:
> No, I think we all agree that anything much more complicated should be done
> in userspace. The only real reason to care about doing some in kernel space,
> I think, is to minimize wasted kernel->auditd traffic.
Caveat: I don't recommend asking userspace to grab the full path name
from inode information supplied by the kernel, as has been suggested in
the past. Although this shifts the burden of processing in the right
direction (ie: to user-space), by the time the inode info gets there,
the file might have already gone.
UID/GID -> User/Group Name has similar issues I guess, but much harder
to cover (as the kernel generally doesn't have visibility of user
names).
Leigh.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
More information about the Linux-audit
mailing list