From: Amy Griffis <amy.griffis@hp.com>
To: redhat-lspp@redhat.com
Cc: linux-audit@redhat.com
Subject: Re: Watch question
Date: Mon, 1 May 2006 15:25:43 -0400 [thread overview]
Message-ID: <20060501192543.GA24222@zk3.dec.com> (raw)
In-Reply-To: <1146238168.24265.51.camel@localhost.localdomain>
Timothy R. Chavez wrote: [Fri Apr 28 2006, 11:29:27AM EDT]
> On Fri, 2006-04-28 at 08:50 -0400, Steve Grubb wrote:
> > I completely disagree with the current file system auditing approach requiring
> > explicit syscall coupling. I think it is a big problem for the security
> > community to have a tool for auditing files that requires knowledge of
> > syscalls.
This audit subsystem was designed around knowledge of syscalls, to the
point that it requires the user to know whether a particular rule
field is applicable at syscall entry or exit time. (!)
The filesystem auditing capability that is currently upstream
(inode-based) requires a knowledge of syscalls. The path-based
functionality I've been working on isn't supposed to be a replacement
for the current inode-based filtering. It is supposed to complement
it to provide a way to audit config files.
> > I personally want to be able to tell the kernel that I want notification of:
> > reads, writes, execution, or changes to attributes of a specific file or all
> > files in that directory and subdirectories. User space should not have to
> > know which syscalls implement each of the categories.
>
> This is really simple and intuitive. I like it. These abstractions
> should be easily expressed. I don't imagine that the majority of the
> users of audit are going to need the level of granularity that's been
> provided, which is why the above makes sense.
Agreed, I think this makes a lot of sense. As Al also mentioned in
another thread, having auditctl specify a special bit or flag that
tells the kernel to set the appropriate bits in the syscall mask would
solve the problem for userspace.
--
redhat-lspp mailing list
redhat-lspp@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-lspp
next parent reply other threads:[~2006-05-01 19:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <44514966.3080900@us.ibm.com>
[not found] ` <200604280850.15745.sgrubb@redhat.com>
[not found] ` <1146238168.24265.51.camel@localhost.localdomain>
2006-05-01 19:25 ` Amy Griffis [this message]
2006-05-01 19:56 ` [redhat-lspp] Watch question Casey Schaufler
2006-05-01 20:24 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060501192543.GA24222@zk3.dec.com \
--to=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=redhat-lspp@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.