[RFC][PATCH] (#2) Prelim in-kernel file system auditing support

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Jan 27 04:18:56 UTC 2005


On Tue, 25 Jan 2005 22:28:40 CST, "Timothy R. Chavez" said:

> Also, when we watch /home/case/viruses/, it's important to note that
> we are not watching anything within viruses/ and that access to
> files/directories within viruses/ do not necessarly "pass through"
> viruses/.  So, if we do "cat /home/casey/viruses/deadly37" no audit
> record for "viruses/" would be generated and recorded.

Umm... did you mean the case where 'deadly37' has more than one hard link
to it, and references via "the other path" won't trip?

(If it doesn't "pass through", why does 'chmod 0 /home/casey/viruses' do
anything? We do the filesystem perms check, possibly an ACL check if the
filesystem supports them, and even an LSM hook.  So how can you go "through"
without getting an audit record?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050126/e319490e/attachment.sig>


More information about the Linux-audit mailing list