Linux Auditing patch and additional questions
Mauricio Lin
mauriciolin at gmail.com
Fri Feb 24 22:58:23 UTC 2006
On 2/24/06, Steve Grubb <sgrubb at redhat.com> wrote:
>
> On Friday 24 February 2006 17:02, Mauricio Lin wrote:
> > I am looking for the patch done by Rik Faith according to the webpage
> > http://lwn.net/Articles/73623/. The link
> > http://people.redhat.com/faith/audit/audit-20040226.1411.patch looks not
> > available anymore.
>
> That's true, his site is gone. The patch has been accepted upstream, so
> all
> you need to do is look at kernel/audit*.c
>
> > I would like to check the patch to see clearly the code included in the
> > kernel and what exactly were changed.
>
> There have been many, many, many changes since then. Best to look at
> current
> code.
>
> > BTW, what is the main difference between the auditing syscall and the
> > strace tool?
>
> strace is for tracing system calls and controlled from user space. The
> audit
> system is meant to be a security tool for auditing user/program actions.
> Its
> designed to meet security requirements like CAPP, NISPOM, SOX, or HIPAA.
> The
> audit system is concerned with credentials and strace is not.
>
> > Does auditing syscall provide more accurate values?
>
> No. There is a problem in that the audit system collects just arg0 - arg3.
> No
> more. If the parameter is a pointer, then all you get is the address and
> not
> the value.
>
> > Futhermore does auditing tool provide the time or elapsed time that a
> > system call was allocated for each processor in a SMP platform?
>
> It provides the time of the syscall based on the system clock.
OK. System calls can sleep and perhaps in SMP platform it can run in a
different processor because of load balancer feature. The system clock is
registered on the entry point of syscall, right?
After that if syscall is put in the waitqueue, nothing is registered when it
is awaked again to use the processor. Am I right?
> Does it trace the system call by processor?
>
> No.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060224/d2646277/attachment.htm>
More information about the Linux-audit
mailing list