[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs



On Wed, 2004-12-15 at 17:03 +0000, Timothy R. Chavez wrote:
> > .. just hook permission(9) rather than the individual vfs_* functions.
> 
> That seems like a pretty good idea since all the information about the
> syscall will be covered else where, all we really need is a place
> where we have the inode and access to its audit data.
> 
> Are there any objections with this approach?

Does this approach still allow us to cover the example of failed file-
opens (no such file or dir), where an inode does not exist, but the
administrator wants an indication that the attempt was made?

eg: normal user$ echo "+ + someuser" > /etc/hosts.equiv
bash: /etc/hosts.equiv: No such file or directory

In general, two (or more) audit events could be generated here:
* Permission denied on create file, in /etc (which would be covered by
the permission() inode), and
* User attempted to WRITE to /etc/hosts.equiv, and failed.

Leigh.

-- 
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]