Re: [RFC] linux-2.6.10-auditfs-tc1.patch
--- Chris Wright <chrisw(a)osdl.org> wrote:
You mean BSM format?
BSM is one example. Irix is another. They're
both based on a proposal presented to the POSIX
group by one W. Olin Sibert.
Yes, I think Serge and I
talked about it briefly
a few months ago. The current method is tokenized
and reasonably
extensible. It's not quite record+tokens like BSM,
but there's an initial
record that tells you how many ancillary records
(items) to expect.
This self describing behavior is what's important.
It allows you to throw in additional process and
file attributes (e.g. MAC labels, ACLs) as
necessary.
And each record is made up primarily of token=value
pairs.
Very good. If you document the legitimate tokens
and they kind of information in the value you're
a long way toward a useful audit system.
I think
we should provide what makes sense, and do any BSM
type translation
in userspace.
A reasonable option. That's how SGI dealt with
a major overhaul to the audit format in Irix6.5
But having _some_ BSM compatibility
would be wise, since
that's what many tools deal with.
At least a description of what's in the records
and tokens to make it easy for an individual who
is inclined to attempt such a translation is in
order.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail