[RFC] linux-2.6.10-auditfs-tc1.patch
Casey Schaufler
casey at schaufler-ca.com
Mon Jan 24 03:49:51 UTC 2005
--- Chris Wright <chrisw at osdl.org> wrote:
> You mean BSM format?
BSM is one example. Irix is another. They're
both based on a proposal presented to the POSIX
group by one W. Olin Sibert.
> Yes, I think Serge and I
> talked about it briefly
> a few months ago. The current method is tokenized
> and reasonably
> extensible. It's not quite record+tokens like BSM,
> but there's an initial
> record that tells you how many ancillary records
> (items) to expect.
This self describing behavior is what's important.
It allows you to throw in additional process and
file attributes (e.g. MAC labels, ACLs) as
necessary.
> And each record is made up primarily of token=value
> pairs.
Very good. If you document the legitimate tokens
and they kind of information in the value you're
a long way toward a useful audit system.
> I think
> we should provide what makes sense, and do any BSM
> type translation
> in userspace.
A reasonable option. That's how SGI dealt with
a major overhaul to the audit format in Irix6.5
> But having _some_ BSM compatibility
> would be wise, since
> that's what many tools deal with.
At least a description of what's in the records
and tokens to make it easy for an individual who
is inclined to attempt such a translation is in
order.
=====
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
More information about the Linux-audit
mailing list