[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Timothy R. Chavez
chavezt at gmail.com
Sat Jan 29 04:16:22 UTC 2005
Hello,
First, a note on previous discussion..
So I was just fixing a bug and I took a look at why I wasn't
generating a record for both "etc" and "passwd" if they were both
being watched and I issued a "cat /etc/paswd"
When I took a look, I saw that permission() isn't called on "etc", but
instead exec_permission_lite() is. Once I hooked this function, I got
the expected audit records for both "etc" and "passwd"
I will release patch #3 most likely tommorow which addresses comments,
bugs, etc on patch #2. I've yet to talk to Chris about the possible
bug he sees in d_move(), but hope to resolve that soon and have any
needed changes in patch #4.
Patch #4 will mostly introduce new features (and include any bug
fixes, comments, nits on patch #3). Primarily the ability to
enable/disable the filesystem auditing dynamically (from userspace),
attaching a permissions bitmask to watch points, and a revision on the
audit_data preallocation mechanism. I also hope to be able to release
a usespace patch to auditctl so that the code can be functionally
tested by people other then myself.
Thanks all!
More information about the Linux-audit
mailing list