Which approach should be taken for audit subsystem
Ilmar S. Habibulin
ilmar at watson.org
Wed Apr 9 08:20:58 GMT 2003
I've found an interesting (and new to me) project of audit subsystem for
Linux. Share - http://www.intersectalliance.com. They substitute original
syscalls with own functions, which calls original syscalls and analize
results. So the can just ship KLD, no kernel recompilation need.
I like the idea, but if there would no additional error difinitions, there
would be impossible to implement posix spec (i mean something, that will
help to separate DAC access failure from MAC access failure, for ex.).
Thoghts, comments?
PS. How to substitute syscalls in freebsd? Do i need to directly
manipulate sysent vector?
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list