linux port of /dev/audit

Robert Watson rwatson at FreeBSD.org
Mon May 22 17:27:03 GMT 2000 

On Mon, 22 May 2000, Beat Christen wrote:

> I will be working on a /dev/audit port for the linux kernel as part of my 
> masters thesis. To reduce double work, I'll try to stay compatible with
> the TrustedBSD /dev/audit binary format.
> Is there already a document on what this will look like, besides the
> source?

The initial two auditing prototypes generates as a result of the POSIX.1e
implementation effort were both left incomplete, although with a fair
amount of concensus as to how to implement the final version.  The general
conclusion was that, for performance reasons, /dev/audit should be
implemented in an OS-optimized manner, but that audit logs would be
exposed to log-{monitoring/reducing} applications via portable audit
application interface, presumably based on POSIX.1e.

At this point, before moving onto reimplementing auditing support, we're
looking at restructuring the authorization interface for the kernel. 
We've been passing around a draft for that internally, and I hope to get
one out on the list.  One issue that has arisen is whether or not we
should be providing a generalized/extensible authorization abstraction
with well-defined semantics (i.e., as VFS is for file systems), or just
improving the modularity of the kernel.  However, this is probably best
discussed in the context of a straw-man, so I'll try to get that out the
door once the last few reviewers have get comments in to me.

The optimal log-gathering format from the perspective of /dev/audit will
depend on how the kernel gathers and manages security events in kernel, so
I wouldn't advise predisposing yourself towards binary compatibility at
that level.  That said, if there was compatibility, it probably wouldn't
hurt as the FreeBSD Linux emulator could then allow linux audit
applications to run in binary-form.  :-)  Once I get the authorization
document out the door (hopefully in the next two days before I get tied up
at the DARPA PI meeting I'll be attending), I'll assemble my notes on the
audit implementations we did.

  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list