[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#6) filesystem auditing



On Tue, 2005-03-15 at 14:42 -0500, Stephen Smalley wrote:
> Ok, why doesn't the following trigger any audit messages:
> 
> # ./auditctl -w /etc/shadow
> AUDIT_WATCH : INSERT : SUCCESS
> 
> $ passwd
> Changing password for user sds.
> Changing password for sds
> (current) UNIX password:
> New UNIX password:
> Retype new UNIX password:
> passwd: all authentication tokens updated successfully.
> 
> /etc/shadow was re-created by this transaction.
> 
> I did see debugging messages about pushing and popping data on the cache stack.

Hmmm...how is this supposed to work?  audit_log_exit() isn't called
unless context->auditable is set.  Should audit_notify_watch() be
setting context->auditable when adding a file to the wtrail so that it
will be processed upon syscall exit?  Otherwise, you need some other
filter to enable the auditable flag separate from your watch, right?

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]