[RFC] linux-2.6.10-auditfs-tc1.patch
Chris Wright
chrisw at osdl.org
Sat Jan 22 01:33:47 UTC 2005
* Casey Schaufler (casey at schaufler-ca.com) wrote:
> This is probably a bit late in the discussion,
> but have y'all considered using a tokenized audit
> record format? If you did you wouldn't have to
> care if any given bit of information was there
> just yet, or allocate a place for things that
> might or might not be there someday. Both Solaris
> and Irix use tokenized schemes to effect.
You mean BSM format? Yes, I think Serge and I talked about it briefly
a few months ago. The current method is tokenized and reasonably
extensible. It's not quite record+tokens like BSM, but there's an initial
record that tells you how many ancillary records (items) to expect.
And each record is made up primarily of token=value pairs. I think
we should provide what makes sense, and do any BSM type translation
in userspace. But having _some_ BSM compatibility would be wise, since
that's what many tools deal with.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list