Re: Security Auditing subsystem for Linux - request for advice/assistance

From: Valdis . Kletnieks
Date: Mon Oct 06 2003 - 03:02:06 EST

Next message: Andre Hedrick: "Re: SiI3112 DMA? (2.6.0-test6)"
Previous message: Mikael Pettersson: "Re: Lockup when switching from X to a VC (or when X goes away) in 2.6.0-test6-bk6"
In reply to: Leigh Purdie: "Security Auditing subsystem for Linux - request foradvice/assistance"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 06 Oct 2003 17:13:10 +1000, Leigh Purdie <spammagnet@xxxxxxxxxxxxxxxxxxxxx> said:

> The current implementation has a few areas that would really benefit
> from a bit of care-and-feeding from an experienced kernel hacker. In
> particular:
> * Filenames
> - Grabbing the REAL source / destination path for file-related events,
> regardless of:
> a) Whether the system call succeeds or fails

> * Potentially many other areas.
> - LSM integration for some calls, if viable?

You could do all of this from an LSM, except that the LSM exits are restrictive
rather than authoritative. The upshot is that if an open() syscall fails due
to file permissions, the LSM exit is never called, so you won't get an audit
record that way - you need a more invasive patch for that.

Read the LSM archives, there's a lot of discussion of doing auditing in there,
much of it revolving around the fact that proper audit makes for one hell of an
invasive patch. Now that LSM is in for 2.6, it *might* be feasible to discuss
audit for 2.7/8.

You probably want to port your patch to the 2.6 tree, as more development is
going on there.

Attachment: pgp00001.pgp
Description: PGP signature

Next message: Andre Hedrick: "Re: SiI3112 DMA? (2.6.0-test6)"
Previous message: Mikael Pettersson: "Re: Lockup when switching from X to a VC (or when X goes away) in 2.6.0-test6-bk6"
In reply to: Leigh Purdie: "Security Auditing subsystem for Linux - request foradvice/assistance"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]