audit syscall information.
Olaf Kirch
okir at suse.de
Fri Apr 22 19:44:31 UTC 2005
On Sat, Apr 23, 2005 at 12:56:43AM +1000, David Woodhouse wrote:
> Two weeks ago on our conference call, I asked if there were any other
> syscalls where I should add similar hooks to log the data which are
> actually acted upon, rather than merely the pointer. This morning I'll
> ask again -- are there any more system calls where we need to log
> anything more than the arguments to the syscall?
In Laus, we decided to log various ioctls related to configuration
changes - mostly the network stuff, but some others as well.
capset() would also be fairly important I guess, as well as setgroups,
setrlimit, setdomainname, the module related stuff, *xattr, setrlimit.
settimeofday and stime as well.
You also need to intercept rtnetlink messages to catch all network
related configuration changes, but I guess you're already doing
that somewhere else.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir at suse.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
More information about the Linux-audit
mailing list