Follow up on auditing cmdline
William Roberts
bill.c.roberts at gmail.com
Wed Nov 6 01:43:03 UTC 2013
So this still seems to be lingering as unresolved in my mind. I need to
find out what the remaining reservations are on this feature. I am going to
try and summarize...
Steve Grub:
1. Anyway to use argv values as cmdline could be a page (too big)
2. Doesn't like disappearing audit entries
Richard Briggs:
1. Can we make it dynamic on/off
Stephen Smalley:
1. Can we cache the data for performance reasons
So I addressed RGB's issues, which led to one of steve Grub's concerns.
Which I can address both with if feature on then print cmdline=value else
print cmdline=(null)
Unfortunately the data I want to audit, is the full proc/cmdline entry,
which I think is the most
generic way of getting at potential vm data through various fork mazes on
Android, as well
as gathering the data on other architectures as well. This also prevents us
from hitting the
16 char width issue on task->comm. Increasing that will result in more
non-pageable kernel
memory use, versus my transient use of a page. I also need to make sure I
can get this
data before the process terminates, which can happen if I try to acquire it
in user-space.
Also, on error conditions, the last patch version will not print
cmdline=(null) which is an error and can be trivially corrected.
But before I put more time into it, I want to make sure the underlying idea
will be accepted, architectures, cacheing, print formats etc are all
trivial.
--
Respectfully,
William C Roberts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20131105/10a2dd95/attachment.htm>
More information about the Linux-audit
mailing list