best way to audit in vfs
Klaus Weidner
klaus at atsec.com
Tue Dec 14 23:04:46 UTC 2004
On Wed, Dec 15, 2004 at 09:47:38AM +1100, Leigh Purdie wrote:
> On Tue, 2004-12-14 at 15:42 -0600, Serge E. Hallyn wrote:
> > No, I think we all agree that anything much more complicated should be done
> > in userspace. The only real reason to care about doing some in kernel space,
> > I think, is to minimize wasted kernel->auditd traffic.
>
> Caveat: I don't recommend asking userspace to grab the full path name
> from inode information supplied by the kernel, as has been suggested in
> the past. Although this shifts the burden of processing in the right
> direction (ie: to user-space), by the time the inode info gets there,
> the file might have already gone.
Agreed, none of the current approaches are planning to do that.
> UID/GID -> User/Group Name has similar issues I guess, but much harder
> to cover (as the kernel generally doesn't have visibility of user
> names).
Well, at least here the mapping can be changed only by trusted processes,
so this doesn't seem exploitable. Since CAPP requires changes to the user
database to be audited, the information to reconstruct the correct
meaning would be present in audit records.
-Klaus
More information about the Linux-audit
mailing list