[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [patch RFC]: userspace crypto auditing



On Thursday, August 05, 2010 10:02:12 am Miloslav Trmac wrote:
> I'm posting these patches for early review; users of the code are not in
> the kernel yet.

Quick public comment (we chatted on IRC), there are already a number of user 
space crypto events. I think what is in the logs here can be fit into the 
existing categories and the user space ones can be replicated in the kernel.

-Steve
 

> Two new records are defined; in each case output of records is caused by a
> syscall, and all other syscall-related data (process identity, syscall
> result) is audited in the usual records.
> 
> AUDIT_CRYPTO_STORAGE_KEY is used when a system-wide storage wrapping key is
> changed.
> 
> AUDIT_CRYPTO_USERSPACE_OP is used when any user-space program performs a
> crypto operation.  To disable auditing these records by default and to
> allow the users to selectively enable them using filters, a new filter
> field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can
> thus be enabled using (auditctl -a exit,always -F crypto_op!=0).
> 
> Attached for review are:
> - A kernel patch
> - An userspace audit patch
> - A few example audit entries
> 
>     Mirek


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]