[PATCH] enable /proc/$$/loginuid
Leigh Purdie
Leigh.Purdie at intersectalliance.com
Mon Jan 17 21:22:26 UTC 2005
On Mon, 2005-01-17 at 12:14 -0800, Casey Schaufler wrote:
> Ah, yes. The initial version of SunOS audit
> (back in the late 1980's) wrote directly from
> the kernel to disk. The lesson was quickly
> learned. Log file management, filtering,
> notification, and a number of other functions
> are much better done in user space code.
Believe it or not, it still does. :(
The solaris auditd functions as a 'management layer' for the kernel, but
effectively all it really does, is:
a) turn on/off particular events according to configurations
in /etc/security/audit_control, audit_event, and audit_class
b) open a file (eg: /var/audit/1234567.not-terminated.log), and pass the
file handle + a 'exit auditsvc if disk space falls below this threshold'
parameter to the auditsvc() system call.
However, they did add the capability to pass a 'pipe' file handle to
auditsvc() around 2.6, which meant that a third party app (like snare)
could add in some more advanced management/filtering etc.
L.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
More information about the Linux-audit
mailing list