On Tue, 25 Jan 2005 22:28:40 CST, "Timothy R. Chavez" said: > Also, when we watch /home/case/viruses/, it's important to note that > we are not watching anything within viruses/ and that access to > files/directories within viruses/ do not necessarly "pass through" > viruses/. So, if we do "cat /home/casey/viruses/deadly37" no audit > record for "viruses/" would be generated and recorded. Umm... did you mean the case where 'deadly37' has more than one hard link to it, and references via "the other path" won't trip? (If it doesn't "pass through", why does 'chmod 0 /home/casey/viruses' do anything? We do the filesystem perms check, possibly an ACL check if the filesystem supports them, and even an LSM hook. So how can you go "through" without getting an audit record?
Description: PGP signature