Re: best way to audit in vfs
On Tue, 2004-12-14 at 16:24, Serge E. Hallyn wrote:
Actually that's the problem - the hook functions only determine
whether
the action is potentially auditable. It might only be auditable when
accessed by a certain user. Or, there might be a single user for whom
we want to audit every access. But that doesn't mean we want every access
by every user causing a partial audit record to be emitted.
Yes, but why can't you make the full determination in your hook
function? At the point of the hook function, you know:
- the current process information,
- the object information,
- the call site.
It is possible that you have some complex audit configuration in mind
that requires tying together information from multiple hooks in order to
determine whether or not to audit the operation, but I'm not sure
whether that is necessary.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency