Re: [ANNOUNCE] Kernel Generalized Event Management

[Chris Wright]

* Bob Bennett (Robert.Bennett2@xxxxxx) wrote:
> KGEM is available for download from http://sf.net/projects/kgem as a patch
> against kernel 2.6.8.1 and as a gzipped tar file containing the source and 
> documentation.  The components may be built either as kernel loadable modules
> or as part of the base.
> 
> I have included a hook plugin module designed to be used with an anti-virus
> realtime scanner application, whose purpose is to check files as they are 
> being opened or executed, to make sure they are not infected.  This module 
> defines five events; open, execve, close, fork, and exit.  It registers with
> LSM to get control and generate these events.

So, why so much patch to do what's already available in the kernel?  With
LSM, plus audit, you can generate events that userspace can consume via
netlink w/out this /proc stuff, and sys_call_table symbol lookup stuff,
the kernel hooks, etc.

How about starting by showing exactly what pieces are missing in the
kernel?  This looks like things that can easily be done using existing
infrastructure.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/