Re: Suggestions based on my experiences so far
On Thu, 27 Jan 2005 19:04:26 -0500, Avishay Traeger
<atraeger(a)cs.sunysb.edu> wrote:
4. Since we can trace both entries and exits, there should be a way
to
know what is an entry and what is an exit (I'm pretty sure you can't do
this right now). Also, it would be good if you could somehow correlate
entries and exits.
We only collect information in audit_syscall_entry() and this should
remain the case imho. We're able to send records to userland in
audit_syscall_exit() and audit_free() because we know that if we reach
audit_log_exit(), our record is complete (the syscall has finished
execution) even if it does come to userspace in pieces. From
audit_syscall_entry, we don't know this.
Avishay Traeger
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
--
- Timothy R. Chavez