[RFC] linux-2.6.10-auditfs-tc1.patch
Steve Grubb
sgrubb at redhat.com
Fri Jan 21 16:15:03 UTC 2005
On Friday 21 January 2005 10:50, Serge Hallyn wrote:
> Perhaps we should print out current->cap_effective? Or is that
> overkill? Or perhaps an actual "security_identify_process(task, buf,
> len)" hook would be useful, where commoncap could print out the
> capabilities, and selinux could print out the context. Maybe that's
> closer to debug info...
Based on previous discussions, I think this would be required for LSPP. If we
are going for LSPP after meeting CAPP, it wouldn't be bad to start getting
some things in place.
> It sounds like he's worried about the 7 line audit_log_format line he
> has, but I think that's all good info.
I think I'd like to make a change to the way that the kernel sends netlink
packets. It would be far more efficient for log_end to send multiple records
in 1 packet instead of 7 separate packets. Especially if the admin has
configured for full sync writing.
> Are we satisfied with saying that 'mount' could be modified in
> userspace to do the right thing in recreating watch entries?
I don't think we can/should touch mount.
> Perhaps we could even use inotify + a userspace daemon for the mkdir
> /etc case, to create new audit entries based on some config file.
The audit daemon could be made to handle this. We just select on 2 different
descriptors & process accordingly. That is, if we need to do this...
-Steve
More information about the Linux-audit
mailing list