[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs



On Tue, 2004-12-14 at 16:33, Timothy R. Chavez wrote:
> Well my original message I think was hinting at doing it this way? 
> But to do it effectively with only one hook, you'd need one exit
> point, right?

No.  You just need to:
1) have your hook function decide whether auditing is required,
2) if so, have it emit a partial audit record with information not
available at syscall exit,
3) this will automatically enable auditing upon syscall exit

And your audit hook can be called very early, as soon as you have the
object available.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]