On Tue, Dec 14, 2004 at 01:28:11PM -0800, Chris Wright wrote:
* Klaus Weidner (klaus(a)atsec.com) wrote:
> I think this is the fundamental disagreement here - if you want to filter
> audit records based on object identity, you need to have the object
> identity information available when applying the filter rules. If you
> want to do the filtering in the kernel, there isn't really any
> alternative to storing this information in kernel space.
Hmm, it's been a while since I looked at CAPP audit requirements, but
doesn't it require action if log is full? E.g., possibly not allowing
request to complete?
It does, but this does not need to be instantaneous. The current plan is
that auditd notifies the kernel if it detects an "out of disk space"
condition, and this will tell the kernel that it shouldn't queue any
additional records.
When the in-kernel queue is full, any system calls that need to generate
an audit record block and wait for space to become available again. (BTW,
this may be an argument against generating audit records at arbitrary
places in the kernel, since such waiting may not be possible there.)
CAPP requires that the lossage of audit data has been minimized by the
developer and clearly documented. Losing a couple of records if the disk
is full and the system then crashes is acceptable from a CAPP point of
view.
-Klaus