[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs



On Tue, 2004-12-14 at 16:09, Timothy R. Chavez wrote:
> Yes,
> 
> But you have the problem of incomplete logs.  For testing purposes the
> audit log should contain coherent and complete records only.  What
> about just adding a list_head to the audit_context and we can just add
> all the necessary information about each object to that list then just
> write-out on syscall exit?

As soon as you know that the object is auditable, you presumably would
like to have an audit record about it, even if the full operation
doesn't complete (in fact, if you've determined that the object is
auditable, you want to immediately verify that you can at least audit
that information; otherwise, you may need to take some emergency action
then, not after the operation has completed and it is too late).  Note
that your hook functions are what is determining whether or not an audit
record should be generated (based on the object information).

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]