audit syscall information.
Olaf Kirch
okir at suse.de
Sat Apr 23 17:32:49 UTC 2005
On Fri, Apr 22, 2005 at 09:38:07PM -0400, James Morris wrote:
> > You also need to intercept rtnetlink messages to catch all network
> > related configuration changes, but I guess you're already doing
> > that somewhere else.
>
> SELinux can trigger auditing of netlink messages, but the granularity is
> only the netlink family and whether it's a 'read' or 'write' operation
> (for rtnetlink).
Most likely, this is not enough, because for CAPP you really want to
know what sort of message. Just logging the fact that someone sent a
netlink message doesn't tell you anything about the network configuration
changes this entails.
Laus added a hook into rtnetlink to intercept the entire message. Doing
it inside the netlink dispatch routine was the best solution we found
because that's where you can tell whether it's rtnetlink (the other
families are less interesting), and you can easily match the message to
the result code.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir at suse.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
More information about the Linux-audit
mailing list