[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs

Quoting Stephen Smalley (sds epoch ncsc mil):
> On Tue, 2004-12-14 at 16:24, Serge E. Hallyn wrote:
> > Actually that's the problem - the hook functions only determine whether
> > the action is potentially auditable.  It might only be auditable when
> > accessed by a certain user.  Or, there might be a single user for whom
> > we want to audit every access.  But that doesn't mean we want every access
> > by every user causing a partial audit record to be emitted.
> Yes, but why can't you make the full determination in your hook
> function?  At the point of the hook function, you know:
> - the current process information,
> - the object information,
> - the call site.

Good point.

> It is possible that you have some complex audit configuration in mind
> that requires tying together information from multiple hooks in order to
> determine whether or not to audit the operation, but I'm not sure
> whether that is necessary. 

No, I think we all agree that anything much more complicated should be done
in userspace.  The only real reason to care about doing some in kernel space,
I think, is to minimize wasted kernel->auditd traffic.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]