Which approach should be taken for audit subsystem
Andrew R. Reiter
arr at watson.org
Wed Apr 9 14:31:44 GMT 2003
On Wed, 9 Apr 2003, Ilmar S. Habibulin wrote:
:
:I've found an interesting (and new to me) project of audit subsystem for
:Linux. Share - http://www.intersectalliance.com. They substitute original
:syscalls with own functions, which calls original syscalls and analize
:results. So the can just ship KLD, no kernel recompilation need.
:I like the idea, but if there would no additional error difinitions, there
:would be impossible to implement posix spec (i mean something, that will
:help to separate DAC access failure from MAC access failure, for ex.).
:
Btw, have you looked at how the old SRI audit code worked? It used the
ktrace code to hook into the syscall's that it wanted to audit. I dont
think this is the best route, but it's just another perspective.
:Thoghts, comments?
:
:PS. How to substitute syscalls in freebsd? Do i need to directly
:manipulate sysent vector?
Yes, you can modify the sysent vector. Or just overwrite the beginning of
the routine with a jump to your code... I guess modifying the vector is
the best way.
Thank your for putting some time in here. Though, I am interested in
hearing Robert's comments.
Cheers,
Andrew
--
Andrew R. Reiter
arr at watson.org
arr at FreeBSD.org
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list