[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Linux Auditing patch and additional questions



On Friday 24 February 2006 17:02, Mauricio Lin wrote:
> I am looking for the patch done by Rik Faith according to the webpage
> http://lwn.net/Articles/73623/. The link
> http://people.redhat.com/faith/audit/audit-20040226.1411.patch looks not
> available anymore.

That's true, his site is gone. The patch has been accepted upstream, so all 
you need to do is look at kernel/audit*.c

> I would like to check the patch to see clearly the code included in the
> kernel and what exactly were changed.

There have been many, many, many changes since then. Best to look at current 
code.

> BTW, what is the main difference between the auditing syscall and the
> strace tool?

strace is for tracing system calls and controlled from user space. The audit 
system is meant to be a security tool for auditing user/program actions. Its 
designed to meet security requirements like CAPP, NISPOM, SOX, or HIPAA. The 
audit system is concerned with credentials and strace is not.

> Does auditing syscall provide more accurate values?

No. There is a problem in that the audit system collects just arg0 - arg3. No 
more. If the parameter is a pointer, then all you get is the address and not 
the value.

> Futhermore does auditing tool provide the time or elapsed time that a
> system call was allocated for each processor in a SMP platform?

It provides the time of the syscall based on the system clock.

> Does it trace the system call by processor?

No.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]