Re: [RFC][PATCH] loginuid through procfs (+ a question)
On Sunday 09 January 2005 07:04, Klaus Weidner wrote:
If the kernel can't reliably access the needed information, the
audit
userspace message function must be modified to work synchronously, so
that the trusted program doesn't proceed until the kernel had a chance to
pick up the data.
I'm not sure it needs to block, we just need to collect everything we need in
1 shot.
It's definitely a CAPP and LSPP requirement to have the correct
user
identity contained reliably in the audit record. Having it glued together
in userspace would be acceptable as long as it's transparent to the admin
and doesn't have problems with log file rollover etc.
Gluing it together in userspace will be low performance and the information
needed may not be in a log. The patch to collect loginuid in af_netlink is
probably 6-7 lines, tops. The solution in userspace will require *much* more
programming and performance will be bad because of having to search for the
needed info and there's no guarantee the needed info exists.
-Steve