.56 kernel FS_WATCH records
Loulwa Salem
loulwas at us.ibm.com
Tue Jun 7 18:15:17 UTC 2005
Steve Grubb wrote:
> Hi,
>
> Testing with the .56 kernel. I did a watch on a file and then did a move:
... snip ...
> Why does FS_WATCH have 2 formats? Both are the same type and have totally
> different name/value pairs. This messes up parsing. If they represent 2
> different pieces of information, they have to have 2 different message types.
>
> Besides, why are they split like this? They weren't like this last week. This
> introduces another 46 byte overhead to diskspace consumption for each record.
>
> Also, in the path record, it is a file - not a dir. The permissions are wrong
> as well. sb 0644.
>
> -Steve
>
I definitely agree with Steve ... having two different FS_WATCH records
will also break our parsing mechanism.
I think from a test perspective, I would prefer concatenating the
records the way they were before rather than creating another type.
Having a different type will also cause a headache in our parse and
verify functions.
- Loulwa
More information about the Linux-audit
mailing list