Re: [PATCH] change lspp inode auditing
On Wed, 29 Mar 2006 14:15:33 EST, Steve Grubb said:
On Wednesday 29 March 2006 14:01, Stephen Smalley wrote:
>> This patch brings the performance hit from 146% down to 11%. We need a
>> similar patch for IPC syscall auditing.
>
> Not that I disagree with this change in approach, but I think that when
> it has come up in the past, there has been concern expressed about the
> fact that we could end up not being able to generate the context from
> the SID when the audit record is being emitted (due to OOM condition),
> and the operation has already occurred at that point.
In that case, the patch writes out the sid number. Given a sid, is there a way
to find it in the policy on disk? If not, that might be useful to have.
The problem is that by the time you go to snarf it out of the policy on disk,
it may no longer match the policy in effect at the time of the record generation.
The hole probably isn't *that* bad if auditd is doing the grovelling. It's
almost
certainly an issue if ausearch is doing the correlation after the fact....
Attachments:
- attachment.sig (application/pgp-signature — 228 bytes)