Linux Auditing patch and additional questions
Steve Grubb
sgrubb at redhat.com
Fri Feb 24 22:14:07 UTC 2006
On Friday 24 February 2006 17:02, Mauricio Lin wrote:
> I am looking for the patch done by Rik Faith according to the webpage
> http://lwn.net/Articles/73623/. The link
> http://people.redhat.com/faith/audit/audit-20040226.1411.patch looks not
> available anymore.
That's true, his site is gone. The patch has been accepted upstream, so all
you need to do is look at kernel/audit*.c
> I would like to check the patch to see clearly the code included in the
> kernel and what exactly were changed.
There have been many, many, many changes since then. Best to look at current
code.
> BTW, what is the main difference between the auditing syscall and the
> strace tool?
strace is for tracing system calls and controlled from user space. The audit
system is meant to be a security tool for auditing user/program actions. Its
designed to meet security requirements like CAPP, NISPOM, SOX, or HIPAA. The
audit system is concerned with credentials and strace is not.
> Does auditing syscall provide more accurate values?
No. There is a problem in that the audit system collects just arg0 - arg3. No
more. If the parameter is a pointer, then all you get is the address and not
the value.
> Futhermore does auditing tool provide the time or elapsed time that a
> system call was allocated for each processor in a SMP platform?
It provides the time of the syscall based on the system clock.
> Does it trace the system call by processor?
No.
-Steve
More information about the Linux-audit
mailing list