[patch RFC]: userspace crypto auditing
by Miloslav Trmac
Hello,
I'm posting these patches for early review; users of the code are not in the kernel yet.
Two new records are defined; in each case output of records is caused by a syscall, and all other syscall-related data (process identity, syscall result) is audited in the usual records.
AUDIT_CRYPTO_STORAGE_KEY is used when a system-wide storage wrapping key is changed.
AUDIT_CRYPTO_USERSPACE_OP is used when any user-space program performs a crypto operation. To disable auditing these records by default and to allow the users to selectively enable them using filters, a new filter field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can thus be enabled using (auditctl -a exit,always -F crypto_op!=0).
Attached for review are:
- A kernel patch
- An userspace audit patch
- A few example audit entries
Mirek
15 years
- 2
- 1
Filter
by List Quest
Hi;
I need filter logs to terminal name(if tty/terminal equal none, write to
audit.log).
Example: -a entry,always -S execve -F tty!=none
But, no use tty in filter parameter list. How this?
Thank You
Best Regards
15 years
- 2
- 1