Re: [PATCH] audit config lockdown
On Fri, Jan 19, 2007 at 02:39:55PM -0500, Steve Grubb wrote:
The following patch adds a new mode to the audit system. It uses the
audit_enabled config option to introduce the idea of audit enabled, but
configuration is immutable. Any attempt to change the configuration
while in this mode is audited. To change the audit rules, you'd need to
reboot the machine.
Seems reasonable to me. Just a couple of comments.
This patch also adds "res=" to a number of configuration
commands that did not
have it before.
The res= idiom is unfamiliar to me, seems like an is_xxx name
(is_allowed?) would make it clear what the intent is for.
@@ -64,7 +64,9 @@
* (Initialization happens after skb_init is called.) */
static int audit_initialized;
-/* No syscall auditing will take place unless audit_enabled != 0. */
+/* 0 - no auditing
+ * 1 - auditing enabled
+ * 2 - auditing enabled and configuration is locked/unchangeable. */
int audit_enabled;
You probably want a #define or enum for these values, rather than
using magic numbers.
Thanks.
--
Steve Beattie
SUSE Labs, Novell Inc.
<sbeattie(a)suse.de>
http://NxNW.org/~steve/
Attachments:
- attachment.sig (application/pgp-signature — 189 bytes)