Quoting Timothy R. Chavez (tinytim@private): > On Thursday 30 June 2005 08:45, serue@private wrote: > > Quoting Tony Jones (tonyj@private): > > > > Clearly, you can't intelligently audit from a module since you have no idea > > > > as to what use the caller intends to make of your information (or down the > > > > road if stacker was to do something different from RETURN_ERROR_IF_ANY_ERROR). > > > > > > I guess I should ammend that to say that you can't log using a simplistic > > > method. I should look at the kernel audit subsystem to see if higher levels > > > can generate an audit based on what they did with the capable data (i.e reject), > > > which an automated tool could combine with audit data from the module to > > > suggest policy changes. > > > > Exactly, if the lower levels can't distinguish between two types of > > requests, maybe the user-space audit daemon can look at multiple entries > > for a single process/event and consolidate/interpret them. > > Probably not a good task for the audit daemon to be doing, but would be possible with ausearch perhaps? Good point - that would depend on just how many of these msgs there are :) If they threaten to overflow the audit logs in one hour, it might be worth doing in the auditd, otherwise ausearch is probably best. That also leaves a better audit trail in case some user finds a way of exploiting this to hide activity from the logs. thanks, -serge
This archive was generated by hypermail 2.1.3 : Thu Jun 30 2005 - 07:23:02 PDT