[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs

On Tue, 14 Dec 2004 16:22:59 -0500, Stephen Smalley <sds epoch ncsc mil> wrote:
> On Tue, 2004-12-14 at 16:24, Serge E. Hallyn wrote:
> > Actually that's the problem - the hook functions only determine whether
> > the action is potentially auditable.  It might only be auditable when
> > accessed by a certain user.  Or, there might be a single user for whom
> > we want to audit every access.  But that doesn't mean we want every access
> > by every user causing a partial audit record to be emitted.
> Yes, but why can't you make the full determination in your hook
> function?  At the point of the hook function, you know:
> - the current process information,
> - the object information,
> - the call site.

Well my original message I think was hinting at doing it this way? 
But to do it effectively with only one hook, you'd need one exit
point, right?  If you wanted to generate a complete record as soon as
you have it ready (from the VFS function) then you'd write out to the
log a one-off message from VFS... but that will completely seperate
you from syscall filtering/auditing and change the topology of VFS
and... well, I value my life ;-).

> It is possible that you have some complex audit configuration in mind
> that requires tying together information from multiple hooks in order to
> determine whether or not to audit the operation, but I'm not sure
> whether that is necessary.

> --
> Stephen Smalley <sds epoch ncsc mil>
> National Security Agency

- Timothy R. Chavez

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]