Posix 1003.6/1e audit
Robert Watson
robert at cyrus.watson.org
Tue Feb 1 02:40:45 GMT 2000
On Mon, 31 Jan 2000, James Buster wrote:
> Anybody here working on that front?
I was, and posted some comments a while back, but haven't been putting
much effort into it in a while. My general conclusion about the whole
auditing component of the spec was that it tried to be too broad, without
insufficient guidance into the structures used to store auditing
information. The same goes for large parts of the spec--sometimes it's
just nicer to have structs than amorphous interfaces requiring semantics
that are almost, but not quite consistent with the logical structures that
might represent them :-).
The end conclusion we reached for the FreeBSD implementation was that
internally we'd use a fairly optimized arrangement involving four unions
of common sets of arguements (i.e., syscalls sorted by argument size and
split into four buckets), and convert to something resembling POSIX.1e
later. For POSIX.1e auditing to be really useful, I think it would
benefit from a text-based representation of the auditing event record --
I've got code somewhere for a parser and text generator based on aud_t,
I'll dig it up when I get a chance, and send you a URL. This way,
general-purpose audit analysis tools (the real point here) could be
written without being aware of the details on the platform, and logs would
be exportable (something useful that POSIX.1e doesn't make possible).
Robert N M Watson
robert at fledge.watson.org http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list