best way to audit in vfs
Stephen Smalley
sds at epoch.ncsc.mil
Wed Dec 15 16:08:37 UTC 2004
On Tue, 2004-12-14 at 17:06, Mounir Bsaibes wrote:
> What I have currently, on disk full the auditd will notify the kernel
> which sets up a falg "disk_full_flag". During audit_log_start if the
> disk_full_flag is set the process will be queued in a wait queue until
> auditd or auditctl reset the disk_full_flag,
> I can provide more details if needed. This is the general method I am
> going to use to cover this CAPP requirement.
> Mounir
SELinux calls the audit subsystem from hard irq (e.g.
file_send_sigiotask) and at times when kernel locks are held.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list