[patch RFC]: userspace crypto auditing
Steve Grubb
sgrubb at redhat.com
Thu Aug 5 16:18:20 UTC 2010
On Thursday, August 05, 2010 10:02:12 am Miloslav Trmac wrote:
> I'm posting these patches for early review; users of the code are not in
> the kernel yet.
Quick public comment (we chatted on IRC), there are already a number of user
space crypto events. I think what is in the logs here can be fit into the
existing categories and the user space ones can be replicated in the kernel.
-Steve
> Two new records are defined; in each case output of records is caused by a
> syscall, and all other syscall-related data (process identity, syscall
> result) is audited in the usual records.
>
> AUDIT_CRYPTO_STORAGE_KEY is used when a system-wide storage wrapping key is
> changed.
>
> AUDIT_CRYPTO_USERSPACE_OP is used when any user-space program performs a
> crypto operation. To disable auditing these records by default and to
> allow the users to selectively enable them using filters, a new filter
> field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can
> thus be enabled using (auditctl -a exit,always -F crypto_op!=0).
>
> Attached for review are:
> - A kernel patch
> - An userspace audit patch
> - A few example audit entries
>
> Mirek
More information about the Linux-audit
mailing list