[RFC][PATCH] loginuid through procfs (+ a question)
Steve Grubb
sgrubb at redhat.com
Sat Jan 8 15:08:01 UTC 2005
On Sunday 09 January 2005 07:04, Klaus Weidner wrote:
> If the kernel can't reliably access the needed information, the audit
> userspace message function must be modified to work synchronously, so
> that the trusted program doesn't proceed until the kernel had a chance to
> pick up the data.
I'm not sure it needs to block, we just need to collect everything we need in
1 shot.
> It's definitely a CAPP and LSPP requirement to have the correct user
> identity contained reliably in the audit record. Having it glued together
> in userspace would be acceptable as long as it's transparent to the admin
> and doesn't have problems with log file rollover etc.
Gluing it together in userspace will be low performance and the information
needed may not be in a log. The patch to collect loginuid in af_netlink is
probably 6-7 lines, tops. The solution in userspace will require *much* more
programming and performance will be bad because of having to search for the
needed info and there's no guarantee the needed info exists.
-Steve
More information about the Linux-audit
mailing list