[RFC] linux-2.6.10-auditfs-tc1.patch

Chris Wright chrisw at osdl.org
Sat Jan 22 01:33:47 UTC 2005


* Casey Schaufler (casey at schaufler-ca.com) wrote:
> This is probably a bit late in the discussion,
> but have y'all considered using a tokenized audit
> record format? If you did you wouldn't have to
> care if any given bit of information was there
> just yet, or allocate a place for things that
> might or might not be there someday. Both Solaris
> and Irix use tokenized schemes to effect.

You mean BSM format?  Yes, I think Serge and I talked about it briefly
a few months ago.  The current method is tokenized and reasonably
extensible.  It's not quite record+tokens like BSM, but there's an initial
record that tells you how many ancillary records (items) to expect.
And each record is made up primarily of token=value pairs.  I think
we should provide what makes sense, and do any BSM type translation
in userspace.  But having _some_ BSM compatibility would be wise, since
that's what many tools deal with.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net




More information about the Linux-audit mailing list