audit 0.6 release

Casey Schaufler casey at schaufler-ca.com
Thu Jan 13 18:09:45 UTC 2005


--- David Woodhouse <dwmw2 at infradead.org> wrote:

> On Fri, 2005-01-07 at 11:20 +1100, Leigh Purdie
> wrote:
> > 
> > Tom can correct me here, but I suspect that
> ideally:
> > * symlinks and links should be resolved. (even if
> the file linked to
> > no longer actually exists - the final path name
> should still be
> > reported/filtered on).

There will be times when one will wish to filter
on any of
   - The pathname requested
     /tmp/symlink_to_passwd
   - The pathname resolved
     /tmp/symlink_to_passwd/etc/passwd
   - One of the other names of the object
     /tmp/hardlink_to_passwd

> > Ideally, access to an
> symlink will actually
> > generate TWO events - one for the symlink (open -
> read), one for the
> > final file (open - as per user requirement).

Erg. That logic implies that you'd want a record
for each directory the lookup passes through.
Don't think that that has never been seriously
considered, BTW.
 
> That's a meaningful statement for symlinks but not
> for hard links. With
> hard links there is no one 'final path name';
> they're all just different
> names for the same inode. If I hard-link /etc/passwd
> to /tmp/fish then
> both of those are _real_ names for it.

That is correct. In this case what you want to
do is
    - Get the pathname of the object you want
      to filter on (/etc/passwd)
    - Fetch the dev/inode information
    - For each record that comes out look
      for either the name you requested or
      the dev/inode pair.
    - When you see the pathname unlinked you
      might forget the dev/inode, but since
      when it was /etc/passwd you cared about
      it who's to say you don't now, just
      because it has a different name?
    - When /etc/passwd is renamed to /etc/opasswd
      do you want to stop watching it?
      This could go either way.
    - When you see the pathname created you
      refetch the dev/inode

> It would be almost impossible to implement a system
> which is asked to
> log 'all access to /etc/*' and includes in that the
> access to /tmp/fish.

Costly, yes.

=====
Casey Schaufler
casey at schaufler-ca.com


		
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail 




More information about the Linux-audit mailing list