Re: Linux Auditing patch and additional questions

On Friday 24 February 2006 17:02, Mauricio Lin wrote: > I am looking for the patch done by Rik Faith according to the webpage > http://lwn.net/Articles/73623/. The link > http://people.redhat.com/faith/audit/audit-20040226.1411.patch looks not > available anymore. That's true, his site is gone. The patch has been accepted upstream, so all you need to do is look at kernel/audit*.c > I would like to check the patch to see clearly the code included in the > kernel and what exactly were changed. There have been many, many, many changes since then. Best to look at current code. > BTW, what is the main difference between the auditing syscall and the > strace tool? strace is for tracing system calls and controlled from user space. The audit system is meant to be a security tool for auditing user/program actions. Its designed to meet security requirements like CAPP, NISPOM, SOX, or HIPAA. The audit system is concerned with credentials and strace is not. > Does auditing syscall provide more accurate values? No. There is a problem in that the audit system collects just arg0 - arg3. No more. If the parameter is a pointer, then all you get is the address and not the value. > Futhermore does auditing tool provide the time or elapsed time that a > system call was allocated for each processor in a SMP platform? It provides the time of the syscall based on the system clock.

Does it trace the system call by processor? No. -Steve