best way to audit in vfs
Stephen Smalley
sds at epoch.ncsc.mil
Wed Dec 15 17:15:03 UTC 2004
On Wed, 2004-12-15 at 12:03, Timothy R. Chavez wrote:
> That seems like a pretty good idea since all the information about the
> syscall will be covered else where, all we really need is a place
> where we have the inode and access to its audit data. The two places
> (maybe three? vfs_mknod?) vfs_create and vfs_mkdir (vfs_link wouldn't
> be necessary if we assume a hardlink's inode audit information is
> never overwritten ever)
Do you mean hooks for preserving audit attributes? Yes, you would still
need hooks for that purpose, but for simply enabling auditing based on
object identity, a single hook in permission may be sufficient, where
that hook would check whether the object was auditable and if so, add
the object identity and requested permission mask to a list hung off of
curent->audit_context for later processing by audit_syscall_exit (in
determining whether or not to audit) and audit_log_exit (in providing
supplementary audit information in the audit record).
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list