[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support



On Tue, 25 Jan 2005 22:28:40 CST, "Timothy R. Chavez" said:

> Also, when we watch /home/case/viruses/, it's important to note that
> we are not watching anything within viruses/ and that access to
> files/directories within viruses/ do not necessarly "pass through"
> viruses/.  So, if we do "cat /home/casey/viruses/deadly37" no audit
> record for "viruses/" would be generated and recorded.

Umm... did you mean the case where 'deadly37' has more than one hard link
to it, and references via "the other path" won't trip?

(If it doesn't "pass through", why does 'chmod 0 /home/casey/viruses' do
anything? We do the filesystem perms check, possibly an ACL check if the
filesystem supports them, and even an LSM hook.  So how can you go "through"
without getting an audit record?

Attachment: pgp00006.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]