[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Casey Schaufler
casey at schaufler-ca.com
Tue Jan 25 18:11:42 UTC 2005
--- Valdis.Kletnieks at vt.edu wrote:
> On Tue, 25 Jan 2005 09:40:00 PST, Casey Schaufler
> said:
>
> > What are the implications regarding a chroot
> > environment? I can imagine (although it strikes
> > me as somewhat insane) an admin wanting to audit
> > everything that goes on in a chroot environment,
> > say for a honeypot. The watching would have to
> > be enabled from outside. Not a bad thing, but is
> > it what you want?
>
> Well, from where I'm sitting, *if* you buy into the
> idea of
> a honeypot as being sane, you *definitely* want to
> be able
> to enable auditing from "outside".
Clearly. Are there any cases where it makes
sense for it to be done from inside? If not,
looking at "/" might be fine.
=====
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
More information about the Linux-audit
mailing list