[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Auditing detach in Laus



I realise that Laus is not the primary focus of this list, but I'm
hoping there might be some experience here.

I'd like to audit a Laus detach, which as I understand it is implemented
as an ioctl (AUIOCDETACH) on /dev/audit. For debugging purposes, I've
stripped my rule back to the following:

tag "AUDIT_ioctl"
syscall ioctl = is-auditdevice(arg0);

I get nothing on detach, although I get plenty of other hits on this
rule. My best guess is that it doesn't evaluate these rules until call
completion, by which time the process is already detached. Is this
right? If so, this would be a fairly severe architectural flaw. Either
way, I'd like to be able to make an informed recommendation to my
customer.

Thanks,

Matt
-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]