Date: Mon, 12 Jul 2010 16:20:17 +0300 From: Efstratios Karatzas <gpf.kira@gmail.com> To: soc-status@freebsd.org, trustedbsd-audit@trustedbsd.org Subject: Audit Kernel Events, weekly report #6 Message-ID: <AANLkTimKJ47wuB6dCuNN2K9oSpuh3liLfAqKMo9iLI3p@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I spent last week working towards providing audit support for NFSv4 and I can say that it's pretty much done. In most cases we are auditing the arguments of the RPC, but not all of them; some of them just don't seem to have any real value, like sequence ids or open_stateids. In other cases, e.g. RPCs 'read' & 'write', I tried to audit the same amount of information as in the relative syscalls. In any case, it may prove useful to create a matrix of sorts in my wiki page that clearly shows what information is gathered for each individual RPC, so that others may comment freely. For now, please refer to the description field of my perforce submits. There are still things to be done such as introducing new token types so that the audit trail produced by praudit is prettier. Also, praudit needs to map return error codes to NFS errors and not errno specific errors. I'm going to postpone working on praudit because I'm mostly worried about changes in the kernel, so it's a low priority job for me. Last but not least, I'm still a bit baffled about the different ways we may combine share_access, share_deny and other NFS RPC 'open' flags. I couldn't make much sense out of the RFC in this case; I'll take another look and perhaps bother our NFS coder with an e-mail. I'm scratching NFSv4 off my todo list and I'm moving on towards the last milestone: making audit handle multiple simultaneous audit records per kernel thread. Thanks -- Efstratios "GPF" Karatzas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimKJ47wuB6dCuNN2K9oSpuh3liLfAqKMo9iLI3p>