From: Valdis.Kletnieks@vt.edu
To: "Leonard Milcin, Jr" <thervoy@post.pl>
Cc: linux-kernel@vger.kernel.org
Subject: Re: FileSystem Filter Driver
Date: Wed, 23 Apr 2003 12:21:36 -0400 [thread overview]
Message-ID: <200304231621.h3NGLaCs019543@turing-police.cc.vt.edu> (raw)
In-Reply-To: Your message of "Wed, 23 Apr 2003 17:48:17 +0200." <3EA6B5C1.1040903@post.pl>
[-- Attachment #1: Type: text/plain, Size: 1792 bytes --]
On Wed, 23 Apr 2003 17:48:17 +0200, "Leonard Milcin, Jr" <thervoy@post.pl> said:
> Nice. I wonder if there is some open-source project with aim in building
> audit tool based on that idea. It will be very nice to have one, and I
> think it will be very interesting, especially for corporate users. I
> will search for information about this, and if I find nothing, maybe
> this is a good moment to start that project? The aim will be building
> kernel driver + user-space tool to provide 1) ultimate filesystem audit
> tool, 2) user space access control manager. This will help linux to
> conquer with proprietary products.
Proper kernel auditing is harder than it looks. Check the LSM mailing list
archives for the last attempt to get auditing into the kernel - the idea
was basically dropped.
The basic problem is that there exist standards and best practices on how
auditing should be done, and doing it correctly in the Linux kernel would be
quite invasive. For example, although LSM already provides an exit in the
open() syscall, you can't use it for auditing because not all failures reach
the exit - there are cases (failed on permissions/ACL checks, etc) where the
call is failed and returns before LSM exits are call, and the standards say
those should result in audit records.
Placing the hooks isn't easy either. You can't hook right at the syscall
level. because you end up having to do a lot of work twice (looking up
pathnames, etc) - both wasteful and prone to race conditions. Hooking at the
filesystem level isn't right either - if you hook ext2 and ext3, you miss any
events that happen to be on xfs or reiserfs or what have you. If you can't
think of 3 "gotchas" of doing it at the VFS level, you shouldn't be poking in
that code either.. ;)
Good Luck.. ;)
[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]
next prev parent reply other threads:[~2003-04-23 16:09 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-23 10:28 FileSystem Filter Driver Nir Livni
2003-04-23 1:05 ` Antonio Vargas
2003-04-23 12:20 ` Nir Livni
2003-04-23 12:22 ` Muli Ben-Yehuda
2003-04-23 10:08 ` Abhishek Agrawal
2003-04-23 11:47 ` Michael Knigge
2003-04-23 12:11 ` Abhishek Agrawal
2003-04-23 16:11 ` joe briggs
2003-04-23 15:48 ` Leonard Milcin, Jr
2003-04-23 16:21 ` Valdis.Kletnieks [this message]
2003-04-23 12:58 ` Nir Livni
2003-04-23 11:53 ` Rogier Wolff
2003-04-23 14:27 ` William Stearns
2003-04-23 19:12 Chuck Ebbert
2003-04-29 13:35 Nir Livni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200304231621.h3NGLaCs019543@turing-police.cc.vt.edu \
--to=valdis.kletnieks@vt.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=thervoy@post.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).