[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs

 > - while system call is executing, additional information is collected
>   based on the data copied from userspace by the syscall. In the case of
>   filesystem operation, this would be the audit attribute associated with
>   the inode being worked on.

This might be a little insane, that is, from the current syscall
audit, to figure out "the inode being worked on."  In ptrace there is
an audit_syscall_enter hook and audit_syscall_exit hook.  In neither
hook is there a reasonable way to discover the inode associated with
the syscall argument.  This is why I think its easiest to do the
logging in the VFS for this portion of the record, at least... At this
point, we have a dentry associated with an inode (the inode we're
interested in), to work with.

> - when the system call is complete, the filter rules are applied to the
>   available data (including the additional info), and an audit record
>   is generated and sent to userspace.

In my way, this wouldn't work to well because the syscall could be
filtered away and the VFS portion would be in userland waiting...


> Linux-audit mailing list
> Linux-audit redhat com
> http://www.redhat.com/mailman/listinfo/linux-audit

- Timothy R. Chavez

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]