best way to audit in vfs
Stephen Smalley
sds at epoch.ncsc.mil
Tue Dec 14 20:59:13 UTC 2004
On Tue, 2004-12-14 at 15:59, Timothy R. Chavez wrote:
> Ok, this sounds most reasonable. Thanks
What about the situation where multiple auditable objects are involved
in the syscall, whether via multi-component pathnames, multiple pathname
arguments to the syscall (e.g. rename, link), etc? Easier to just
immediately generate the object information from your hook, and then tie
all such object-based audit records to the associated syscall exit
record via the (timestamp, serial) tuples.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list