[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs



Yes,

But you have the problem of incomplete logs.  For testing purposes the
audit log should contain coherent and complete records only.  What
about just adding a list_head to the audit_context and we can just add
all the necessary information about each object to that list then just
write-out on syscall exit?


On Tue, 14 Dec 2004 15:59:13 -0500, Stephen Smalley <sds epoch ncsc mil> wrote:
> On Tue, 2004-12-14 at 15:59, Timothy R. Chavez wrote:
> > Ok, this sounds most reasonable.  Thanks
> 
> What about the situation where multiple auditable objects are involved
> in the syscall, whether via multi-component pathnames, multiple pathname
> arguments to the syscall (e.g. rename, link), etc?  Easier to just
> immediately generate the object information from your hook, and then tie
> all such object-based audit records to the associated syscall exit
> record via the (timestamp, serial) tuples.
> 
> --
> Stephen Smalley <sds epoch ncsc mil>
> National Security Agency
> 
> 


-- 
- Timothy R. Chavez


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]