Re: best way to audit in vfs

On Thu, Dec 16, 2004 at 08:37:54AM +1100, Leigh Purdie wrote: Your input is very valuable to this, and I agree that the goal should be to have something generally useful and not just strictly doing the bare minimum needed to meet the CAPP requirements. However, I think it helps in this discussion to at least keep in mind where different requirements are coming from, since the different expectations people have about what the audit system is supposed to do are different enough already. Roughly, I think there are at least the following separate goals: - achieving basic CAPP compliance so that a product using this implementation can be used in environments where this is formally required. - provide useful security event auditing during normal system operation, similar in spirit to CAPP but differing in details, such as performance requirements, additional flexibility needed, and maybe not insisting on some details that CAPP specifies. - provide information suitable for forensics in case something really unexpected happens. Some ideas mentioned here concerned the information available after a crash, maybe involving the exploit of a previously unknown security flaw. - provide a debugging tool - I hope we're mostly in agreement that this isn't something that the audit system should be designed for, that should be a separate tracing system that maybe shares some infrastructure. The point is that it's worthwhile to at least look at different requirements, but not to get bogged down in attempts to achieve the "perfect" system, especially if that turns out to be impossible due to conflicting requirements. I personally think that a combination of the first two (CAPP + real-world usefulness) is achievable but adding more requirements runs the risk of not getting any working solution at all anytime soon. -Klaus