best way to audit in vfs
Chris Wright
chrisw at osdl.org
Tue Dec 14 21:28:11 UTC 2004
* Klaus Weidner (klaus at atsec.com) wrote:
> I think this is the fundamental disagreement here - if you want to filter
> audit records based on object identity, you need to have the object
> identity information available when applying the filter rules. If you
> want to do the filtering in the kernel, there isn't really any
> alternative to storing this information in kernel space.
Hmm, it's been a while since I looked at CAPP audit requirements, but
doesn't it require action if log is full? E.g., possibly not allowing
request to complete?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list