From mboxrd@z Thu Jan  1 00:00:00 1970
From: "L. A. Walsh" <lkml@tlinx.org>
Subject: Re: Question regarding ntpd
Date: Tue, 11 Oct 2016 14:37:16 -0700
Message-ID: <57FD5B8C.1080909@tlinx.org>
References: <AEC3559A-2C25-4408-A7A0-68379792DE66@bsd.uchicago.edu>
	<6969452.IzX1pIz0vM@x2> <57FC0CA7.4000404@tlinx.org>
	<2633790.HIaGmAgEAo@x2>
	<CAHC9VhSbx6_9HHGMqYPE40peXjV5CQSBryPmsHHfJAyQAbz=3A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAHC9VhSbx6_9HHGMqYPE40peXjV5CQSBryPmsHHfJAyQAbz=3A@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Paul Moore <paul@paul-moore.com>
Cc: "Jarsulic, Michael [CRI]" <mjarsulic@bsd.uchicago.edu>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Paul Moore wrote:
> On Tue, Oct 11, 2016 at 12:07 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>   
>> On Monday, October 10, 2016 2:48:23 PM EDT L. A. Walsh wrote:
>>
>> I.e. the exact opposite of your (Steve)'s statement.  Wondered if that was
>> a misread or newer information...<*idle curiosity*>.
>>
>> Either way sounds like it would be "nice" to differentiate a "read" from
>> a "write" in this syscall if it is to be useful.
>>     
>> I agree. But the problem with this syscall is that the operation 
>> is part of a data structure that is passed by address to the kernel. 
>> There currently is no good way to filter its uses because the audit subsystem can only look at the actual argument passed. I think there 
>> may be an issue opened for this on github.
>>     
>
> Yep, link below:
>
> * https://github.com/linux-audit/audit-kernel/issues/10
>
>   
A parallel that may be useful -- the "file" program that ID's files, 
can't just
look at the value of a field, but values pointed-to, by-a-field.
Without the ability to record the value of a "pointer", I'd think audit was
a bit hamstrung.  At the destination of the pointer, one might want to 
support
other data types than just 'value' (usernames, groupnames, 
structures...etc).
Sad, but one might want to record an array of groups pointed to by some 
field
as well. 

Is it the case that nothing else in audit needs indirect information?

But as long as the data structure is defined by the kernel, I'd think it
a valid object to be able to audit...but that's my wanting flexibility.

Even wireshark/network monitoring needed to have the ability to compile
the filter into the kernel to create satifactory performance.  Might not 
audit
need similar?