Re: Linux C2-Style Audit Capability

richard offer (offer@sgi.com)
Mon, 06 Aug 2001 15:07:59 -0700


* frm alan@lxorguk.ukuu.org.uk "08/04/01 09:24:11 +0000" | sed '1,$s/^/* /'
*
*> System calls are overridden by pointing sys_call_table[system call] to a
*> replacement function which saves off the data for auditing purposes,
*> then calls the original system call.
*
* Ugly but that bit probably ties in with all the other folks trying to put
* together a unified security hook set for 2.5

Simply wrapping the system calls isn't going to get a CAPP (or C2)
compliant audit implementation. It also isn't how the "unified security
hooks" (aka LSM, Linux Security Modules) are working.

SGI is working towards a CAPP compliant audit implementation under the LSM
framework, I'd suggest that you head over to http://lsm.immunix.org/ for
more details on LSM.

richard.

-----------------------------------------------------------------------
Richard Offer Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/