Re: best way to audit in vfs
Quoting Stephen Smalley (sds(a)epoch.ncsc.mil):
On Tue, 2004-12-14 at 16:24, Serge E. Hallyn wrote:
> Actually that's the problem - the hook functions only determine whether
> the action is potentially auditable. It might only be auditable when
> accessed by a certain user. Or, there might be a single user for whom
> we want to audit every access. But that doesn't mean we want every access
> by every user causing a partial audit record to be emitted.
Yes, but why can't you make the full determination in your hook
function? At the point of the hook function, you know:
- the current process information,
- the object information,
- the call site.
Good point.
It is possible that you have some complex audit configuration in
mind
that requires tying together information from multiple hooks in order to
determine whether or not to audit the operation, but I'm not sure
whether that is necessary.
No, I think we all agree that anything much more complicated should be done
in userspace. The only real reason to care about doing some in kernel space,
I think, is to minimize wasted kernel->auditd traffic.
-serge