On Thursday 30 June 2005 08:45, serue@private wrote: > Quoting Tony Jones (tonyj@private): > > > Clearly, you can't intelligently audit from a module since you have no idea > > > as to what use the caller intends to make of your information (or down the > > > road if stacker was to do something different from RETURN_ERROR_IF_ANY_ERROR). > > > > I guess I should ammend that to say that you can't log using a simplistic > > method. I should look at the kernel audit subsystem to see if higher levels > > can generate an audit based on what they did with the capable data (i.e reject), > > which an automated tool could combine with audit data from the module to > > suggest policy changes. > > Exactly, if the lower levels can't distinguish between two types of > requests, maybe the user-space audit daemon can look at multiple entries > for a single process/event and consolidate/interpret them. Probably not a good task for the audit daemon to be doing, but would be possible with ausearch perhaps? -tim > This might be easier if you use audit_log rather than printk, as you > should be able to get a single serial number for the messages from one > syscall. > > -serge > >
This archive was generated by hypermail 2.1.3 : Thu Jun 30 2005 - 07:15:33 PDT