Which approach should be taken for audit subsystem

[Ilmar S. Habibulin]

On Wed, 9 Apr 2003, Robert Watson wrote:

> I've never been a big fan of system call wrapping as a way to impose
> access control or audit mechanisms.  One of the problems that is
Well, i like this idea only because of zero-kernel modifications. My
current work is based on yours' old attempts (plus some openbsd lookats).

> My preferred approach for Audit actually goes through and modifies all the
> system calls to attach argument data to an active audit record.  In fact,
> that's the approach we've taken in Audit prototyping work recently, and
> I'd like to take in a FreeBSD implementation.  The ktrace approach is nice
> in that it has a low code modification requirement, but I think to do it
> properly with threads, etc, it requires a moderate level of modification.
I'll try to discribe my approach. On the one hand i had MAC framework with
KLD - very flexible solution, on the other i don't want to make big
syscalls modifications. So i've got something in the middle, which IS
extensible very well imho. You need to load audit subsystem into kernel
and then load/unload/rewrite/extend audit module as you like.
Kernel modifications are minimal.

The problem is, that the minimal integration lacks explicit information.
So if we will deeply integrate audit call into each step of audited
functions, we have to refuse from flexibility of KLD.

Everything is IMHO, and i hope i've managed to explain my thoughts. ;-)

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message