Kernel auditing
Matthew Dillon
dillon at apollo.backplane.com
Tue May 18 16:01:38 PDT 2004
:I like this idea, and this would keep the log file size down. It does
:take away from the ability to backtrack the process tree all the way to
:init and grab information such as uid/gid from moving back. Maybe I
:should change it so the initial program gets all it's state put into the
:beginning of the audit, so you will still know what uid any children of
:say sshd are running as.
Well, like ktrace, the output from multiple processes will wind up in
the same audit file, so each audit record would need some sort of
identifier (like a pid).
:This works very well for say exec, but open, and access, which just use
:namei and never look at the name don't give me much to work with. I
:agree that doing to copyin()'s is not the cleanest way, but I didn't
:want to change the API of namei to tell it what kind of operation to log
:since I'm assuming most calls to namei won't be logging anything.
Well, namei() just copyinstr()'s the data anyway. Arguably it makes
more sense for NDINIT to do this and for NDFREE to release the data
rather then for namei() to do this, but that would require significant
programming. I can look into it next week (I'm not going to be here this
weekend).
:Yes, adding the audit command and passing it's open file descriptor
:would make it much cleaner. Would this require a new system call to
:attach an audit log to an fd? And then would I use VOP_WRITE to write
:out to the fd from kernelside? I was thinking caps would have been
:good, but moving to this per process model would make sorting the data
:much cleaner. It also very easily facilitates the idea of auditing a
:jail from the actual host. Thanks for the input, and I'll start banging
:away at some of these ideas.
:
:-Craig
:Craig Dooley craig at xxxxxxxxxx
Yes, similar to ktrace. You would not use VOP_WRITE, necessarily... well,
you would, but it would probably be better to create a kernel thread
for each audit and then buffer the data, waking up the thread only when
necessary (and the thread would flush the pending data once a second
anyway). That way the system would be able to run at nearly full speed
*even* if you are auditing every single process.
Creating a kernel thread is *very* easy.
The system call would route the request to the thread governing the
audit structure. e.g. 'add this process to the audit' or 'remove that
process' or 'close out the audit' or 'change the audit descriptor', etc.
-Matt
Matthew Dillon
<dillon at xxxxxxxxxxxxx>
More information about the Submit
mailing list