RE: audit 0.6 release
--- Leigh Purdie <Leigh.Purdie(a)intersectalliance.com>
wrote:
Usually, from a on-system filtering perspective, the
auditor is
interested in real user ID only. The other ID's are
very useful in
follow-up analysis though.
In C2 and CAPP evaluations I've worked on the
real userid was deemed too volitile to identify
the user who had logged in. Solaris and Irix
maintain a seperate "audit user id" that is set
at login and not changed, even by su.
> 4. Do you mean the path name "/tmp/foo", or
the
> inode 86753 on the root file system? What
> about symlinks, mount points, and/or pseudo
> filesystem redirections?
This is where it gets nasty doesn't it. ;)
Yup!
Snare works this way (bouncing every single file
open through to the
audit daemon for resolution, when a user has
requested file open
auditing). Not optimal, which is why filtering
in-kernel may be more
appropriate - but even so, users have reported
single-figure-percentage
reductions in performance when file auditing +
regexp filtering is used.
Here's food for thought. I'll owe a beer to the
first person who figures out the right answer to
this riddle:
On Irix you can improve compiler performance
by installing the audit module, but leaving it
turned off. How can this be?
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail