[PATCH] audit: fix broken class-based syscall audit
Klaus Weidner
klaus at atsec.com
Thu May 17 15:23:33 UTC 2007
On Thu, May 17, 2007 at 09:58:25AM -0400, Steve Grubb wrote:
> On Thursday 17 May 2007 09:19, Valdis.Kletnieks at vt.edu wrote:
> > > I'd suggest adding a printk() in addition to returning 0 - you don't want
> > > to silently ignore unknown or unsupported syscalls when auditing.
> >
> > Make it rate-limited, so a program can't unintentionally spam your logs.
>
> For this to happen, the syscall would have to be > 2048. I'd almost image
> syscalls out of range in general...whether being auditing by class as in this
> case or with a typical syscall rule is a problem. So, way back over at
> syscall entry would be the time to notice this problem instead of here. If we
> are concerned about this, it might be a general control feature like
> enable/disable, fail mode, or backlog. We could make something to report out
> of range syscalls.
Can we agree to do just the simple fix for this issue for now, and maybe
revisit adding additional sanity checks later if people think they are
helpful?
-Klaus
More information about the Linux-audit
mailing list