[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs



On Tue, 2004-12-14 at 15:59, Timothy R. Chavez wrote:
> Ok, this sounds most reasonable.  Thanks

What about the situation where multiple auditable objects are involved
in the syscall, whether via multi-component pathnames, multiple pathname
arguments to the syscall (e.g. rename, link), etc?  Easier to just
immediately generate the object information from your hook, and then tie
all such object-based audit records to the associated syscall exit
record via the (timestamp, serial) tuples.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]