Re: audit syscall information.
On Sat, Apr 23, 2005 at 12:56:43AM +1000, David Woodhouse wrote:
Two weeks ago on our conference call, I asked if there were any
other
syscalls where I should add similar hooks to log the data which are
actually acted upon, rather than merely the pointer. This morning I'll
ask again -- are there any more system calls where we need to log
anything more than the arguments to the syscall?
In Laus, we decided to log various ioctls related to configuration
changes - mostly the network stuff, but some others as well.
capset() would also be fairly important I guess, as well as setgroups,
setrlimit, setdomainname, the module related stuff, *xattr, setrlimit.
settimeofday and stime as well.
You also need to intercept rtnetlink messages to catch all network
related configuration changes, but I guess you're already doing
that somewhere else.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir(a)suse.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax