[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[PATCH] (0/2) new audit filter allows excluding messages by type

RBACPP places requirements on "selective audit".

Selective Audit
The TSF shall be able to include or exclude auditable events from the
set of audited events based on the following attributes:
(a) Object identity, user identity, subject identity, host identity, and
event type
(b) Users belonging to a specified Role and Access types (e.g. delete,
insert) on a particular object


The following patches add the capabilities required to userspace and the
kernel to allow administrators to filter out audit records based on the
event type.

The audit message type is known as early on as in the call to
audit_log_start(), and thus, placing a check against the filter there
would save the kernel considerable effort allocating buffers and
printing them when the record would ultimately be thrown away (if it
were filtered later).  I placed this call just after the verification of

When coupled with the previous patches I submitted adding support for
advanced operators (<, >, <=, >=), this gives an administrator
considerable flexibility in saving a running kernel time and resources
if particular message types are not of interest.

Along those lines, there has been some discussion as to whether this
filtering belongs in the kernel or in auditd (userspace).  The patches
I'm submitting now add the functionality to the kernel, in fact.  It's
my initial feeling that this may well provide enough of a performance
benefit to merit it's presence there.  But I expect this might introduce
a discussion here ....    \/


The interface to exclude messages of IPC type looks like:
auditctl -a exclude,always -F "msgtype=IPC"
auditctl -a exclude,always -F "msgtype=1303"

The interface to exclude userspace messages looks like:
auditctl -a exclude,always -F "msgtype>=1100" -F "msgtype<=1199"

Note that we can certainly teach the audit userspace to recognize many
constant strings to keep administrators from having to come up with
these magic numbers on their own.  Thus, you could use something more
like -F "msgtype>=FIRST_USER_MSG" -F "msgtype<=LAST_USER_MSG", and so

Also note that if you exclude messages of a particular type, its
auxiliary messages are nuked as well.

Patches follow in adjacent emails.  Comments welcome.


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]