[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [patch RFC]: userspace crypto auditing

On Thursday, August 05, 2010 10:02:12 am Miloslav Trmac wrote:
> I'm posting these patches for early review; users of the code are not in
> the kernel yet.

Quick public comment (we chatted on IRC), there are already a number of user 
space crypto events. I think what is in the logs here can be fit into the 
existing categories and the user space ones can be replicated in the kernel.


> Two new records are defined; in each case output of records is caused by a
> syscall, and all other syscall-related data (process identity, syscall
> result) is audited in the usual records.
> AUDIT_CRYPTO_STORAGE_KEY is used when a system-wide storage wrapping key is
> changed.
> AUDIT_CRYPTO_USERSPACE_OP is used when any user-space program performs a
> crypto operation.  To disable auditing these records by default and to
> allow the users to selectively enable them using filters, a new filter
> field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can
> thus be enabled using (auditctl -a exit,always -F crypto_op!=0).
> Attached for review are:
> - A kernel patch
> - An userspace audit patch
> - A few example audit entries
>     Mirek

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]