Re: best way to audit in vfs
* Klaus Weidner (klaus(a)atsec.com) wrote:
I think this is the fundamental disagreement here - if you want to
filter
audit records based on object identity, you need to have the object
identity information available when applying the filter rules. If you
want to do the filtering in the kernel, there isn't really any
alternative to storing this information in kernel space.
Hmm, it's been a while since I looked at CAPP audit requirements, but
doesn't it require action if log is full? E.g., possibly not allowing
request to complete?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net