[RFC] linux-2.6.10-auditfs-tc1.patch

[Klaus Weidner]

On Thu, Jan 20, 2005 at 09:47:11AM -0600, Timothy R. Chavez wrote:
> On Thu, 20 Jan 2005 13:32:27 +0000, David Woodhouse <dwmw2 at infradead.org> wrote:
> > As I understand it, this watches only extant inodes. You can't watch for
> > attempts to read or create a non-existent file. Is that functionality
> > not required?
> 
> I'm fairly sure that for CAPP, this capability is not required. 
> Granted, it would be useful for other types of auditing.

The CAPP and LSPP requirements only concern access to objects, and a
nonexistent file isn't an object to which access needs to be monitored.

> To log accesses on non-existent files, it'd probably be sufficient to
> hook d_lookup.  At that point I have my parent dentry/inode and know
> my name.  I can simply check to see if its being watched or not and if
> it is, record the attempt.

Note that many programs will try to open tons of nonexistent files due to
various preconfigured locations for config files etc. Such access would
need to be filtered to be at all useful. But you mention that this could
be done via the watch list, which would solve this.

Auditing of failed attempts to create new files may be useful to find out
if someone is trying to create a ~/.ssh/authorized_keys file or something
else with a potential security impact. This should be a fairly rare
occurence, so I think a simple rule to audit all failed file creation
attempts would probably be sufficient. A full watch list based solution
would be optimal but I'd consider that to be a low priority.

-Klaus