[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Timothy R. Chavez
chavezt at gmail.com
Thu Jan 27 05:42:10 UTC 2005
On Wed, 26 Jan 2005 23:18:56 -0500, Valdis.Kletnieks at vt.edu
<Valdis.Kletnieks at vt.edu> wrote:
> On Tue, 25 Jan 2005 22:28:40 CST, "Timothy R. Chavez" said:
>
> > Also, when we watch /home/case/viruses/, it's important to note that
> > we are not watching anything within viruses/ and that access to
> > files/directories within viruses/ do not necessarly "pass through"
> > viruses/. So, if we do "cat /home/casey/viruses/deadly37" no audit
> > record for "viruses/" would be generated and recorded.
>
> Umm... did you mean the case where 'deadly37' has more than one hard link
> to it, and references via "the other path" won't trip?
Nope.
>
> (If it doesn't "pass through", why does 'chmod 0 /home/casey/viruses' do
> anything? We do the filesystem perms check, possibly an ACL check if the
> filesystem supports them, and even an LSM hook. So how can you go "through"
> without getting an audit record?
Unless, I was doing something wrong. When I tested a watch point on
both "/etc" and "passwd". When I issued a "cat /etc/passwd" only a
record for "passwd" was generated. Then, when I did a "cat /etc", I
received a record for "etc" -- I was only recording open() syscalls,
however.
I didn't look into this behavior too much, but I will. Let me retest
this in the morning with the patch #2 (since the current code is kind
of broken right now *cough*) and send some results.
>
>
>
--
- Timothy R. Chavez
More information about the Linux-audit
mailing list