On Thursday, August 05, 2010 10:02:12 am Miloslav Trmac wrote: > I'm posting these patches for early review; users of the code are not in > the kernel yet.
Quick public comment (we chatted on IRC), there are already a number of user space crypto events. I think what is in the logs here can be fit into the existing categories and the user space ones can be replicated in the kernel. -Steve > Two new records are defined; in each case output of records is caused by a > syscall, and all other syscall-related data (process identity, syscall > result) is audited in the usual records. > > AUDIT_CRYPTO_STORAGE_KEY is used when a system-wide storage wrapping key is > changed. > > AUDIT_CRYPTO_USERSPACE_OP is used when any user-space program performs a > crypto operation. To disable auditing these records by default and to > allow the users to selectively enable them using filters, a new filter > field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can > thus be enabled using (auditctl -a exit,always -F crypto_op!=0). > > Attached for review are: > - A kernel patch > - An userspace audit patch > - A few example audit entries > > Mirek -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
