In article <39110943.6AE56341@sgi.com>, Linda Walsh <law@sgi.com> wrote:
> Anyway the requirement is to write an audit record that contains
> the luid. I don't think postprocessing qualifies.
Then go fix the requirement. :-)
Sometimes the right way to honor[1] a (broken) specification is
to refuse to honor[2] it...
If you worry about space overhead for long-running systems,
two words: garbage collection. Nothing says the user-level agent
must *retain* old irrelevant audit events. (If the only state
the user-level agent cares about is the luid and sess_id of each
process, then that really is the only state it needs to retain!)
If you worry about time overhead, consider using a ring-buffer
and periodically flushing its contents to user-level to amortize
the context-switch overhead over many events.
(And, add a flag so users who don't want
audit events won't ever pay any overhead.)
In short: I haven't seen any show-stopping objections so far...
(That doesn't mean there aren't any, of course!)
What do you think?
honor, trans. verb:
1. to regard or treat with honor or respect
2. to live up to or fulfill the terms of
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:16 EST