[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs




What I have currently, on disk full the auditd will notify the kernel which sets up a falg "disk_full_flag". During audit_log_start if the disk_full_flag is set the process will be queued in a wait queue until auditd or auditctl reset the disk_full_flag,
I can provide more details if needed. This is the general method I am going to use to cover this CAPP requirement.
Mounir

Mounir Bsaibes
Linux Security
Tel:  (512) 838-1301
Cell: (512) 762-9957
Fax: (512) 838-8858
e-mail: bsaibes us ibm com



Klaus Weidner <klaus atsec com>
Sent by: linux-audit-bounces redhat com

12/14/2004 03:48 PM

Please respond to
Linux Audit Discussion

To
Chris Wright <chrisw osdl org>
cc
Linux Audit Discussion <linux-audit redhat com>
Subject
Re: best way to audit in vfs





On Tue, Dec 14, 2004 at 01:28:11PM -0800, Chris Wright wrote:
> * Klaus Weidner (klaus atsec com) wrote:
> > I think this is the fundamental disagreement here - if you want to filter
> > audit records based on object identity, you need to have the object
> > identity information available when applying the filter rules. If you
> > want to do the filtering in the kernel, there isn't really any
> > alternative to storing this information in kernel space.
>
> Hmm, it's been a while since I looked at CAPP audit requirements, but
> doesn't it require action if log is full?  E.g., possibly not allowing
> request to complete?

It does, but this does not need to be instantaneous. The current plan is
that auditd notifies the kernel if it detects an "out of disk space"
condition, and this will tell the kernel that it shouldn't queue any
additional records.

When the in-kernel queue is full, any system calls that need to generate
an audit record block and wait for space to become available again. (BTW,
this may be an argument against generating audit records at arbitrary
places in the kernel, since such waiting may not be possible there.)

CAPP requires that the lossage of audit data has been minimized by the
developer and clearly documented. Losing a couple of records if the disk
is full and the system then crashes is acceptable from a CAPP point of
view.

-Klaus

--
Linux-audit mailing list
Linux-audit redhat com
http://www.redhat.com/mailman/listinfo/linux-audit


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]