Compared to systrace
Posted May 13, 2004 0:09 UTC (Thu) by AnswerGuy
In reply to: The lightweight auditing framework
Parent article: The lightweight auditing framework
I think the major differences are: systrace is a reference monitor, it can
return a code telling the kernel to allow, (optionally allowing with a specific set of UID/GID credentials!), or deny the access (optionally with a specific errno). However, it only acts on system calls (though it provides canonicalized arguments to the reference monitor in user space; on which the daemon can make its decisions).
This "auditing framework" is clearly targeted toward logging and is more pervasive, extending beyond system calls to other sorts of resources, and having the rate limiting features.
Personally I prefer the systrace approach and would like to see it more widely adopted. SELinux is far too complex and intrusive. However, with the implicit primatur of the NSA giving Red Hat Inc. the lust to include it for future appeal to Gov. and Banking institutions I think that the simpler, more elegant, and (dare I say) equally effective systrace approach will languish in obscurity! :(
to post comments)