Re: best way to audit in vfs
Quoting Stephen Smalley (sds(a)epoch.ncsc.mil):
On Tue, 2004-12-14 at 16:09, Timothy R. Chavez wrote:
> Yes,
>
> But you have the problem of incomplete logs. For testing purposes the
> audit log should contain coherent and complete records only. What
> about just adding a list_head to the audit_context and we can just add
> all the necessary information about each object to that list then just
> write-out on syscall exit?
As soon as you know that the object is auditable, you presumably would
like to have an audit record about it, even if the full operation
doesn't complete (in fact, if you've determined that the object is
auditable, you want to immediately verify that you can at least audit
that information; otherwise, you may need to take some emergency action
then, not after the operation has completed and it is too late). Note
that your hook functions are what is determining whether or not an audit
record should be generated (based on the object information).
Actually that's the problem - the hook functions only determine whether
the action is potentially auditable. It might only be auditable when
accessed by a certain user. Or, there might be a single user for whom
we want to audit every access. But that doesn't mean we want every access
by every user causing a partial audit record to be emitted.
Please let me know if I'm thinking wrongly...
-serge