Previous Next Table of Contents

9. Auditing

An auditing facility is provided. Its design is intended to be simple but flexible, in such a way that it can be robustly implemented and will not impinge on the general responsiveness of the Linux kernel.

The following is a summary of the recent discussion on the linux-privs list. I am in the process of making a proposal that will be general enough to handle all of the following features:

9.1 First some kernel infrastructure:

9.2 What audit records should contain?

9.3 Next some Policy (when/what should we audit):

9.4 User level auditing (POSIX):

9.5 Internal kernel auditing facility

Here we discuss the manner in which the kernel records audited events.

Any part of the kernel may audit an event.

Only those user-level processes with their auditing capability set may audit an event with the kernel.

Contingency is made for the possibility of the system log filling up.

9.6 Preserving the audit log

This section discusses the kernel hooks provided for making a hard-copy of the system log.

9.7 Auditing policy

This section describes the policies used to define what sorts of events are logged. It also introduces the preferred format for recording these audited events.

Previous Next Table of Contents