[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Linux Auditing patch and additional questions

On 2/24/06, Steve Grubb <sgrubb redhat com> wrote:
On Friday 24 February 2006 17:02, Mauricio Lin wrote:
> I am looking for the patch done by Rik Faith according to the webpage
> http://lwn.net/Articles/73623/. The link
> http://people.redhat.com/faith/audit/audit-20040226.1411.patch looks not
> available anymore.

That's true, his site is gone. The patch has been accepted upstream, so all
you need to do is look at kernel/audit*.c

> I would like to check the patch to see clearly the code included in the
> kernel and what exactly were changed.

There have been many, many, many changes since then. Best to look at current

> BTW, what is the main difference between the auditing syscall and the
> strace tool?

strace is for tracing system calls and controlled from user space. The audit
system is meant to be a security tool for auditing user/program actions. Its
designed to meet security requirements like CAPP, NISPOM, SOX, or HIPAA. The
audit system is concerned with credentials and strace is not.

> Does auditing syscall provide more accurate values?

No. There is a problem in that the audit system collects just arg0 - arg3. No
more. If the parameter is a pointer, then all you get is the address and not
the value.

> Futhermore does auditing tool provide the time or elapsed time that a
> system call was allocated for each processor in a SMP platform?

It provides the time of the syscall based on the system clock.

OK. System calls can sleep and perhaps in SMP platform it can run in a different processor because of load balancer feature. The system clock is registered on the entry point of syscall, right?

After that if syscall is put in the waitqueue, nothing is registered when it is awaked again to use the processor. Am I right?

> Does it trace the system call by processor?



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]