[RFC][PATCH 3/3] (#7U1) file system auditing
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Sun Apr 24 04:11:57 UTC 2005
On Sat, 23 Apr 2005 01:04:52 -0000, "Timothy R. Chavez" said:
> I think for symmetry's sake, that makes sense. But doing a "delete all" in
> the kernel has these advantages:
>
> 1. All watches can be deleted. This might not be true in user space. If the
> path is invalid (ie: a namespace has changed or the path has become otherwise
> inaccessible), you won't be able to delete the watch.
What should actually appear in the audit stream if this case happens? Do we
log enough info that the admin has a fighting chance of figuring out what happened
even in the face of chroot or mount --bind or other similar things?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050424/f3d2fd2e/attachment.sig>
More information about the Linux-audit
mailing list