From: Rik Faith <faith@redhat.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: okir@suse.de, linux-kernel@vger.kernel.org
Subject: Re: [PATCH][RFC] Light-weight Auditing Framework
Date: Mon, 1 Mar 2004 15:28:45 -0500 [thread overview]
Message-ID: <16451.40189.997259.379123@neuro.alephnull.com> (raw)
In-Reply-To: [Christoph Hellwig <hch@infradead.org>] Mon 1 Mar 2004 19:45:01 +0000
On Mon 1 Mar 2004 19:45:01 +0000,
Christoph Hellwig <hch@infradead.org> wrote:
> On Mon, Mar 01, 2004 at 11:28:45AM -0500, Rik Faith wrote:
> > This note describes a patch against 2.6.4-rc1-bk2 that provides a
> > low-overhead system-call auditing framework for Linux that is usable by
> > LSM components (e.g., SELinux). Comments will be appreciated.
>
> I haven't actually looked at the code, but why don't you use Olaf Kirch's
> auditing framework that's used in production and already has gotten the
> wizzbang certification you seem to be aiming at.
Different goals. My goals are to provide a generic very-low-overhead
auditing framework that can be used as a service by more complex systems
(e.g., SELinux). In contrast to Olaf's work, for example, my patch does
not have intimate knowledge of system call parameters and semantics.
This decreases the invasiveness of the patch and the work required for
long-term maintainability.
The price for this simplicity is that the "language" for describing
which system calls to audit is also very simple (and is, therefore, not
independently sufficient for certifications). However, I assume that a
system undergoing certification will be using SELinux or another
security infrastructure that will make auditing _and_ other decisions
-- adding sophistication to the auditing infrastructure only duplicates
the work that the security module will provide.
> Whether we want syscall auditing in mainline is a completely different
> question..
I believe we need a light-weight, maintainable framework that is
versatile enough to be used for non-security purposes (e.g., debugging).
In general, my patch meets these requirements since it provides very
little that helps specifically with security (failure modes, loginuid,
and small helper functions).
next prev parent reply other threads:[~2004-03-01 20:31 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-01 16:28 [PATCH][RFC] Light-weight Auditing Framework Rik Faith
2004-03-01 19:45 ` Christoph Hellwig
2004-03-01 20:28 ` Rik Faith [this message]
2004-03-02 9:44 ` Olaf Kirch
2004-03-02 11:09 ` Rik Faith
2004-03-02 15:02 ` Rik Faith
2004-03-03 8:55 ` Muli Ben-Yehuda
2004-03-03 11:21 ` Rik Faith
2004-03-01 20:26 ` Chris Wright
2004-03-02 21:49 ` Rik Faith
2004-03-03 0:49 ` Chris Wright
2004-03-03 10:57 ` Rik Faith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=16451.40189.997259.379123@neuro.alephnull.com \
--to=faith@redhat.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=okir@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.