audit question (fwd)

[Ilmar S. Habibulin]

On Fri, 9 Nov 2001, Andrew R. Reiter wrote:

> Since you mentioned you did this from experience, can you share with what
> you used as generic identifiers before?
I mensioned, that i didn't think about generic identifier, because i used
special flags on files, which causes audit subsystem to log read, write or
execute operation. And i made hooks in syscalls, some of them have 'char
*path' parameter, some of them have only 'int fd'. So i think, that if new
audit subsystem must register all events, then it is the easiest way to
register kernel fs-specific identifiers. For ufs they are device and
inode. And this approach is simular to machine/fs/protocol specific data
poinetrs in kernel structures. Just look at them - they have some type
field, some common fields and type-specific field, which is handled only
by specified driver, not by generic kernel routines. And i propose
something simular.
Sorry, but i can't help in figuring out needed identifiers, i know only
ufs a little bit.

> I had been wondering about how this would impact something like a heavily
> loaded web server or other type of server that might create any number of
> files/inodes, etc.. Perhaps if we can compress the relative path and be
> able to do a hash on that, and then just worry about filenames
> specifically it might help us.
Are you wondering about impact of regitering or identifier-to-path
translation? I have 3 types of object audit: create, access and delete.
Access audit also was devided to 3 types: read, write and execute. But in
order not to trash logs and slow down machine, i used special flags. With
these flags you can mark files of interst, and all accesses to these files
will be logged.
Registration of all operations is much more harder requerment. It would
not be suitable for all environments. So maybe review my approach and
implement it togather with reg-all?


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message