1:28 p.m.
On Mon, 17 Jan 2005 11:10:29 -0800 (PST), Casey Schaufler
<casey(a)schaufler-ca.com> wrote:
--- "Timothy R. Chavez" <chavezt(a)gmail.com> wrote:
> ... Better to
> do this filtering
> in userspace via a daemon then in the kernel. We
> should keep the
> in-kernel audit subsystem as small and efficient as
> possible.
> Anything that can be delegated to userspace should
> be delegated to
> userspace.
For this scheme to work the kernel has to
generate all possible records and pass them
on for filtering. This is much less efficient
than having the kernel filter records that
are known to be uninteresting. Filtering
must be done at a place where sufficient
information is available to make the choice,
and that means it must be done in the kernel
or that all possible filtering criteria must
be passed on.
Right, and such filtering already exists in the kernel and is mostly,
if not completely, sufficient to meet this goal. What I was getting
at is that there may be a desire to do additional filtering that goes
above and beyond what the kernel is capable of doing. Thus. this is
one reason why the audit daemon and not the kernel, should be used to
write out to the actual log file.
<snip>
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
--
- Timothy R. Chavez
2:14 p.m.
New subject: [PATCH] enable /proc/$$/loginuid
--- "Timothy R. Chavez" <chavezt(a)gmail.com> wrote:
Right, and such filtering already exists in the
kernel and is mostly,
if not completely, sufficient to meet this goal.
What I was getting
at is that there may be a desire to do additional
filtering that goes
above and beyond what the kernel is capable of
doing. Thus. this is
one reason why the audit daemon and not the kernel,
should be used to
write out to the actual log file.
Ah, yes. The initial version of SunOS audit
(back in the late 1980's) wrote directly from
the kernel to disk. The lesson was quickly
learned. Log file management, filtering,
notification, and a number of other functions
are much better done in user space code.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
All your favorites on one personal page � Try My Yahoo!
http://my.yahoo.com
3:22 p.m.
New subject: [PATCH] enable /proc/$$/loginuid
On Mon, 2005-01-17 at 12:14 -0800, Casey Schaufler wrote:
Ah, yes. The initial version of SunOS audit
(back in the late 1980's) wrote directly from
the kernel to disk. The lesson was quickly
learned. Log file management, filtering,
notification, and a number of other functions
are much better done in user space code.
Believe it or not, it still does. :(
The solaris auditd functions as a 'management layer' for the kernel, but
effectively all it really does, is:
a) turn on/off particular events according to configurations
in /etc/security/audit_control, audit_event, and audit_class
b) open a file (eg: /var/audit/1234567.not-terminated.log), and pass the
file handle + a 'exit auditsvc if disk space falls below this threshold'
parameter to the auditsvc() system call.
However, they did add the capability to pass a 'pipe' file handle to
auditsvc() around 2.6, which meant that a third party app (like snare)
could add in some more advanced management/filtering etc.
L.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
4:41 p.m.
New subject: [PATCH] enable /proc/$$/loginuid
--- Leigh Purdie <Leigh.Purdie(a)intersectalliance.com>
wrote:
Believe it or not, it still does. :(
The solaris auditd functions as a 'management layer'
for the kernel, but
effectively all it really does, is:
a) turn on/off particular events according to
configurations
in /etc/security/audit_control, audit_event, and
audit_class
b) open a file (eg:
/var/audit/1234567.not-terminated.log), and pass the
file handle + a 'exit auditsvc if disk space falls
below this threshold'
parameter to the auditsvc() system call.
Yerg. Code I wrote before my forehead
meet my bald spot, still in use.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
3:52 p.m.
New subject: [PATCH] enable /proc/$$/loginuid
On Mon, 2005-01-17 at 13:28 -0600, Timothy R. Chavez wrote:
Although I think this bit is still up for discussion:
Right, and such filtering already exists in the kernel and is
mostly,
if not completely, sufficient to meet this goal.
I absolutely agree with this:
What I was getting
at is that there may be a desire to do additional filtering that goes
above and beyond what the kernel is capable of doing. Thus. this is
one reason why the audit daemon and not the kernel, should be used to
write out to the actual log file.
Note though, that the Solaris approach of passing a pipe file descriptor
to the kernel may still be a viable alternative if people REALLY want to
go down this path (wouldn't recommend it though, based on all the
troubles Sun have had with this approach).
L.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
7279
days inactive
7279
days old
linux-audit@lists.linux-audit.osci.io
4 comments
3 participants
participants (3)
-
Casey Schaufler -
Leigh Purdie -
Timothy R. Chavez