[RFC][PATCH] (#4) auditfs
Chris Wright
chrisw at osdl.org
Wed Feb 23 20:02:14 UTC 2005
* Klaus Weidner (klaus at atsec.com) wrote:
> On Tue, Feb 22, 2005 at 01:58:42PM -0600, Timothy R. Chavez wrote:
> > And admitedly, I am also being a little redundant in that
> > the original code can already provide us with the read() and write()
> > exit code and the file/directory being read from/written to. However,
> > if we want to specifically monitor activity in the filesystem
> > surrounding watched objects, then wouldn't these hooks in read(),
> > write(), etc be vital? Klaus? How else will we know if a read() or
> > write() trully succeeded or failed on a watched filesystem object?
>
> read() and write() aren't considered security relevant operations since
> they don't do any permission checks. From the CC point of view the
> interesting call is open(), and if that's properly handled it's enough.
Does this potentially change with LSPP? Since LSM (SELinux as an
example) does actually check read/write?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list