From: "Darryl Dixon - Winterhouse Consulting" <darryl.dixon@winterhouseconsulting.com>
To: linux-audit@redhat.com
Subject: Decoding arguments passed to system calls
Date: Tue, 3 Jul 2007 09:46:26 +1200 (NZST) [thread overview]
Message-ID: <52930.65.99.233.211.1183412786.squirrel@pythonhacker.is-a-geek.net> (raw)
Hi List,
Forgive me if this isn't the correct forum for this, but I'd like to
present a scenario, outline my hypothetical solution to it, and then
solicit for feedback from the list on how to actually achieve it. I have
seen various discussions on the list around this topic (eg
http://www.redhat.com/archives/linux-audit/2005-March/msg00221.html, and
the current "Absolute path names in PATH records" thread), but
they all seemed intertwined with other things, so I am asking here to try
and pin down a firm answer :)
Scenario:
A very large filesystem with potentially millions of files in an ad-hoc,
unordered directory structure. The requirement is to be able to audit any
action on any file in this filesystem (moves, adds, changes, deletes,
etc). In auditfs terms, there is a requirement to have a 'watch' on every
single file (millions of files), and on any new file that is added.
Hypothetical solution:
Clearly, scanning the filesystem with `find` and adding calling auditctl
with the appropriate arguments to generate a watch on every singly file is
totally infeasible (find takes almost an hour to run, and in the meantime
stuff is potentially changing...). Instead, I envision it would make
better sense to simply audit every call to write(), open(), rename(), etc,
and then filter backwards from there with ausearch and a filter based on
the path. On Solaris with BSM, this is possible. My problem is that this
doesn't seem possible with the Linux Audit subsystem, as the arguments to
the system calls are not decoded (eg, the audit records for write()
include only an opaque filehandle and pointer to the written data, etc).
So, in terms of feedback:
1) Am I totally wrong and there's a method of getting this information
already that I have overlooked?
2) Knowing very little about the auditing subsystem, and the kernel
internals in general I envision that decoding the filehandle into a path
is something that would need to be done in the kernel, and is impossible
from userland. Is this the case?
3) How much work do you all estimate that it would actually take to be
able to generate this information? Is it even possible without a major
architectural overhaul of the audit subsystem?
Any and all feedback much appreciated.
many regards,
Darryl Dixon
Winterhouse Consulting Ltd
http://www.winterhouseconsulting.com
next reply other threads:[~2007-07-02 21:46 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-02 21:46 Darryl Dixon - Winterhouse Consulting [this message]
2007-07-02 22:27 ` Decoding arguments passed to system calls Matthew Booth
2007-07-02 22:48 ` Darryl Dixon - Winterhouse Consulting
2007-07-02 23:23 ` Matthew Booth
2007-07-03 11:57 ` Stephen Smalley
2007-07-03 14:38 ` Stephen Smalley
2007-07-04 15:03 ` Steve Grubb
2007-07-03 13:04 ` Wieprecht, Karen M.
2007-07-04 14:29 ` Steve Grubb
2007-07-04 14:23 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52930.65.99.233.211.1183412786.squirrel@pythonhacker.is-a-geek.net \
--to=darryl.dixon@winterhouseconsulting.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.