Re: best way to audit in vfs
On Tue, 14 Dec 2004 16:22:59 -0500, Stephen Smalley <sds(a)epoch.ncsc.mil> wrote:
On Tue, 2004-12-14 at 16:24, Serge E. Hallyn wrote:
> Actually that's the problem - the hook functions only determine whether
> the action is potentially auditable. It might only be auditable when
> accessed by a certain user. Or, there might be a single user for whom
> we want to audit every access. But that doesn't mean we want every access
> by every user causing a partial audit record to be emitted.
Yes, but why can't you make the full determination in your hook
function? At the point of the hook function, you know:
- the current process information,
- the object information,
- the call site.
Well my original message I think was hinting at doing it this way?
But to do it effectively with only one hook, you'd need one exit
point, right? If you wanted to generate a complete record as soon as
you have it ready (from the VFS function) then you'd write out to the
log a one-off message from VFS... but that will completely seperate
you from syscall filtering/auditing and change the topology of VFS
and... well, I value my life ;-).
It is possible that you have some complex audit configuration in mind
that requires tying together information from multiple hooks in order to
determine whether or not to audit the operation, but I'm not sure
whether that is necessary.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
--
- Timothy R. Chavez