Re: [RFC] linux-2.6.10-auditfs-tc1.patch
* Casey Schaufler (casey(a)schaufler-ca.com) wrote:
This is probably a bit late in the discussion,
but have y'all considered using a tokenized audit
record format? If you did you wouldn't have to
care if any given bit of information was there
just yet, or allocate a place for things that
might or might not be there someday. Both Solaris
and Irix use tokenized schemes to effect.
You mean BSM format? Yes, I think Serge and I talked about it briefly
a few months ago. The current method is tokenized and reasonably
extensible. It's not quite record+tokens like BSM, but there's an initial
record that tells you how many ancillary records (items) to expect.
And each record is made up primarily of token=value pairs. I think
we should provide what makes sense, and do any BSM type translation
in userspace. But having _some_ BSM compatibility would be wise, since
that's what many tools deal with.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net