4:02 p.m.
Hi all,
I am looking for the patch done by Rik Faith according to the webpage
http://lwn.net/Articles/73623/. The link
http://people.redhat.com/faith/audit/audit-20040226.1411.patch looks not
available anymore.
I would like to check the patch to see clearly the code included in the
kernel and what exactly were changed.
BTW, what is the main difference between the auditing syscall and the strace
tool?
Does auditing syscall provide more accurate values?
Futhermore does auditing tool provide the time or elapsed time that a system
call was allocated for each processor in a SMP platform? Does it trace the
system call by processor?
BR,
Mauricio Lin.
4:14 p.m.
On Friday 24 February 2006 17:02, Mauricio Lin wrote:
I am looking for the patch done by Rik Faith according to the
webpage
http://lwn.net/Articles/73623/. The link
http://people.redhat.com/faith/audit/audit-20040226.1411.patch looks not
available anymore.
That's true, his site is gone. The patch has been accepted upstream, so all
you need to do is look at kernel/audit*.c
I would like to check the patch to see clearly the code included in
the
kernel and what exactly were changed.
There have been many, many, many changes since then. Best to look at current
code.
BTW, what is the main difference between the auditing syscall and
the
strace tool?
strace is for tracing system calls and controlled from user space. The audit
system is meant to be a security tool for auditing user/program actions. Its
designed to meet security requirements like CAPP, NISPOM, SOX, or HIPAA. The
audit system is concerned with credentials and strace is not.
Does auditing syscall provide more accurate values?
No. There is a problem in that the audit system collects just arg0 - arg3. No
more. If the parameter is a pointer, then all you get is the address and not
the value.
Futhermore does auditing tool provide the time or elapsed time that
a
system call was allocated for each processor in a SMP platform?
It provides the time of the syscall based on the system clock.
Does it trace the system call by processor?
No.
-Steve
4:58 p.m.
On 2/24/06, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Friday 24 February 2006 17:02, Mauricio Lin wrote:
> I am looking for the patch done by Rik Faith according to the webpage
> http://lwn.net/Articles/73623/. The link
> http://people.redhat.com/faith/audit/audit-20040226.1411.patch looks not
> available anymore.
That's true, his site is gone. The patch has been accepted upstream, so
all
you need to do is look at kernel/audit*.c
> I would like to check the patch to see clearly the code included in the
> kernel and what exactly were changed.
There have been many, many, many changes since then. Best to look at
current
code.
> BTW, what is the main difference between the auditing syscall and the
> strace tool?
strace is for tracing system calls and controlled from user space. The
audit
system is meant to be a security tool for auditing user/program actions.
Its
designed to meet security requirements like CAPP, NISPOM, SOX, or HIPAA.
The
audit system is concerned with credentials and strace is not.
> Does auditing syscall provide more accurate values?
No. There is a problem in that the audit system collects just arg0 - arg3.
No
more. If the parameter is a pointer, then all you get is the address and
not
the value.
> Futhermore does auditing tool provide the time or elapsed time that a
> system call was allocated for each processor in a SMP platform?
It provides the time of the syscall based on the system clock.
OK. System calls can sleep and perhaps in SMP platform it can run in a
different processor because of load balancer feature. The system clock is
registered on the entry point of syscall, right?
After that if syscall is put in the waitqueue, nothing is registered when it
is awaked again to use the processor. Am I right?
Does it trace the system call by processor?
No.
-Steve
5:09 p.m.
On Friday 24 February 2006 17:58, Mauricio Lin wrote:
The system clock is registered on the entry point of syscall, right?
No, its only referenced at the point that the audit system decides it needs to
write an audit event. Look at the function audit_get_stamp(). Its called by
audit_log_start. You can look for its callers to see when this occurs.
After that if syscall is put in the waitqueue, nothing is registered
when
it is awaked again to use the processor. Am I right?
True. But you might want to trace the above code to see how it works.
-Steve
6875
days inactive
6875
days old
linux-audit@lists.linux-audit.osci.io
3 comments
2 participants
participants (2)
-
Mauricio Lin -
Steve Grubb