[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support



On Wed, 26 Jan 2005 23:18:56 -0500, Valdis Kletnieks vt edu
<Valdis Kletnieks vt edu> wrote:
> On Tue, 25 Jan 2005 22:28:40 CST, "Timothy R. Chavez" said:
> 
> > Also, when we watch /home/case/viruses/, it's important to note that
> > we are not watching anything within viruses/ and that access to
> > files/directories within viruses/ do not necessarly "pass through"
> > viruses/.  So, if we do "cat /home/casey/viruses/deadly37" no audit
> > record for "viruses/" would be generated and recorded.
> 
> Umm... did you mean the case where 'deadly37' has more than one hard link
> to it, and references via "the other path" won't trip?

Nope.

> 
> (If it doesn't "pass through", why does 'chmod 0 /home/casey/viruses' do
> anything? We do the filesystem perms check, possibly an ACL check if the
> filesystem supports them, and even an LSM hook.  So how can you go "through"
> without getting an audit record?

Unless, I was doing something wrong.  When I tested a watch point on
both "/etc" and "passwd".  When I issued a "cat /etc/passwd" only a
record for "passwd" was generated.  Then, when I did a "cat /etc", I
received a record for "etc" -- I was only recording open() syscalls,
however.

I didn't look into this behavior too much, but I will.  Let me retest
this in the morning with the patch #2 (since the current code is kind
of broken right now *cough*) and send some results.

> 
> 
> 


-- 
- Timothy R. Chavez


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]