[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] enable /proc/$$/loginuid



On Mon, 2005-01-17 at 12:14 -0800, Casey Schaufler wrote:
> Ah, yes. The initial version of SunOS audit
> (back in the late 1980's) wrote directly from
> the kernel to disk. The lesson was quickly
> learned. Log file management, filtering,
> notification, and a number of other functions
> are much better done in user space code.

Believe it or not, it still does. :(
The solaris auditd functions as a 'management layer' for the kernel, but
effectively all it really does, is:
a) turn on/off particular events according to configurations
in /etc/security/audit_control, audit_event, and audit_class
b) open a file (eg: /var/audit/1234567.not-terminated.log), and pass the
file handle + a 'exit auditsvc if disk space falls below this threshold'
parameter to the auditsvc() system call.

However, they did add the capability to pass a 'pipe' file handle to
auditsvc() around 2.6, which meant that a third party app (like snare)
could add in some more advanced management/filtering etc.

L.

-- 
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]