RFC: AF_ALG auditing
Miloslav Trmac
mitr at redhat.com
Tue Nov 23 12:47:11 UTC 2010
Hello,
attached is an user-space patch that adds support for auditing uses of the AF_ALG protocol family developed by Herbert Xu to provide user-space access to kernel crypto accelerators. Kernel patches will follow.
One new record is defined: AUDIT_CRYPTO_USERSPACE_OP. An audited event is always caused by a syscall, and all other syscall-related data (process identity, syscall result) is audited in the usual records.
To disable auditing crypto by default and to allow the users to selectively enable them using filters, a new filter field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can thus be enabled using (auditctl -a exit,always -F crypto_op!=0).
In addition to the user-space patch, attached are also a few example audit entries.
Mirek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit-2.0.5-AF_ALG.patch
Type: text/x-patch
Size: 9166 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20101123/d11ee2a6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit-examples
Type: application/octet-stream
Size: 4203 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20101123/d11ee2a6/attachment.obj>
More information about the Linux-audit
mailing list