On Wed, 23 Apr 2003 17:48:17 +0200, "Leonard Milcin, Jr" said: > Nice. I wonder if there is some open-source project with aim in building > audit tool based on that idea. It will be very nice to have one, and I > think it will be very interesting, especially for corporate users. I > will search for information about this, and if I find nothing, maybe > this is a good moment to start that project? The aim will be building > kernel driver + user-space tool to provide 1) ultimate filesystem audit > tool, 2) user space access control manager. This will help linux to > conquer with proprietary products. Proper kernel auditing is harder than it looks. Check the LSM mailing list archives for the last attempt to get auditing into the kernel - the idea was basically dropped. The basic problem is that there exist standards and best practices on how auditing should be done, and doing it correctly in the Linux kernel would be quite invasive. For example, although LSM already provides an exit in the open() syscall, you can't use it for auditing because not all failures reach the exit - there are cases (failed on permissions/ACL checks, etc) where the call is failed and returns before LSM exits are call, and the standards say those should result in audit records. Placing the hooks isn't easy either. You can't hook right at the syscall level. because you end up having to do a lot of work twice (looking up pathnames, etc) - both wasteful and prone to race conditions. Hooking at the filesystem level isn't right either - if you hook ext2 and ext3, you miss any events that happen to be on xfs or reiserfs or what have you. If you can't think of 3 "gotchas" of doing it at the VFS level, you shouldn't be poking in that code either.. ;) Good Luck.. ;)