Snare's userland audit daemon works in the same way Gelato does.. it loops reading audit events from /proc/audit. This method has the very great virtue of simplicity and it can actually be quite fast and efficient. It'll be neat to see where this goes for user mode drivers, but I wonder what happens if a user mode driver fails? Would the kernel be smart enough to stop preparing the data for the driver? I know when the Snare audit daemon closes /proc/audit, the kernel notices that it has been closed, and amends its behavior to avoid queueing up additional audit events.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds