Re: Linux C2-Style Audit Capability

Alan Cox (alan@lxorguk.ukuu.org.uk)
Sat, 4 Aug 2001 10:23:58 +0100 (BST)


> System calls are overridden by pointing sys_call_table[system call] to a
> replacement function which saves off the data for auditing purposes, then
> calls the original system call.

Ugly but that bit probably ties in with all the other folks trying to put
together a unified security hook set for 2.5

> audit events are turned on (eg: open()), the user-space audit daemon cannot
> keep up with the kernel, and therefore my ring buffer fills. As such, we
> lose events.
>
> if(!write_io((io_class *)event))
> {
> // Couldnt write it out.
> // No space available in the ring buffer.
> signal=0;
> lost_events++;
> }

So why don't you block ? Obviously you must never block logging events
caused by the logging daemon itself but in the other cases since you are
logging before (and maybe after) a syscall rather than logging during the
syscall where locks may be held I dont see the problem
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/