[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support



On Tue, 2005-01-25 at 01:22, Timothy R. Chavez wrote:
> Alright,
> 
> Once again, thank you to Serge, Chris, and David for all the insight. 
> Here's the latest patch incorporating many of the changes you all
> suggested.  There are still some things missing and not fully tested
> (for instance, the locking).
> 
> TODO:
> 
> * Make filesystem auditing enabled/disabled at runtime
> * Re-add comments with proper DocBook formatting
> * Remove Makefile changes
> * Move struct audit_file to a slab cache
> 
> Am I forgetting something? (Soooo tired ;-))
> 
> I'd appreciate any and all comments / feedback.  Thank you.

Possibly I missed earlier discussion of this issue, but I would have
expected an audit watch to have an associated permission mask (i.e. I
only want to watch for writes to /etc/passwd, not reads), and have
audit_notify_watch() only add a entry to the audit context if the audit
watch mask has a non-zero intersection with the requested permission
mask.  Otherwise, you will be generating a ton of useless entries.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]