Re: best way to audit in vfs
On Tue, 2004-12-14 at 15:00, Timothy R. Chavez wrote:
Hello,
I've been kind of thinking about this. Presumably, we want to audit
both failed and successful attempts in whatever vfs function we happen
to be in. For instance, if we fall out of vfs_mkdir because
may_create returned an error, we'd like to receive an audit message
that said something like, "filename=myfile syscall= mkdir()
error=<errno>.....", but, would I want to do this by hooking each
conditional statement? Is there a better approach? The only other
one I can think of would be to have one exit point in the functions
and audit right before we exit...
The audit framework already lets you audit on syscall exit, which lets
you capture information like this. As I understand it, you don't need
additional hooks for that purpose, just for enabling auditing based on
object identity and for propagating audit attributes on objects.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency