[PATCH] enable /proc/$$/loginuid

Casey Schaufler casey at schaufler-ca.com
Mon Jan 17 19:10:29 UTC 2005


--- "Timothy R. Chavez" <chavezt at gmail.com> wrote:

> ... Better to
> do this filtering
> in userspace via a daemon then in the kernel.  We
> should keep the
> in-kernel audit subsystem as small and efficient as
> possible. 
> Anything that can be delegated to userspace should
> be delegated to
> userspace.

For this scheme to work the kernel has to
generate all possible records and pass them
on for filtering. This is much less efficient
than having the kernel filter records that
are known to be uninteresting. Filtering
must be done at a place where sufficient
information is available to make the choice,
and that means it must be done in the kernel
or that all possible filtering criteria must
be passed on.

There is no existing U2X audit implementation
that does all the filtering in user space.
It is not possible to reliably deliver the
total audit volume from a busy 4cpu system
through a single daemon. Attempting to do so
will validated the notion that auditing
slows the system. A kernel based filter scheme,
believe it or not, is much more efficient
just on the basis of data copying than any
userland scheme can hope to be.

I understand the pain involved with putting a
big chuck of code into the kernel. In this case
the alternative is not viable.


=====
Casey Schaufler
casey at schaufler-ca.com


		
__________________________________ 
Do you Yahoo!? 
Meet the all-new My Yahoo! - Try it today! 
http://my.yahoo.com 
 




More information about the Linux-audit mailing list