[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#6) filesystem auditing



On Tuesday 15 March 2005 03:01 pm, Stephen Smalley wrote:
> On Tue, 2005-03-15 at 15:48 -0500, Stephen Smalley wrote:
> > Hmmm...how is this supposed to work?  audit_log_exit() isn't called
> > unless context->auditable is set.  Should audit_notify_watch() be
> > setting context->auditable when adding a file to the wtrail so that it
> > will be processed upon syscall exit?  Otherwise, you need some other
> > filter to enable the auditable flag separate from your watch, right?
>
> Note btw that since SELinux does immediate generation of audit messages
> via audit_log* from its hooks, this automatically enables the auditable
> flag (since audit_log_start calls audit_get_stamp, and audit_get_stamp
> enables the auditable flag).  That is why further audit records are
> written at syscall exit whenever SELinux emits an audit message from a
> hook.  But in your case, as you are just adding data to a list from your
> hook, you need to separately enable the auditable flag in some manner.

Right, the manner in which you get records for watched files / directories is 
by filtering on syscalls that access those watched files / directories.  In 
our case we said it was sufficient to audit the following two:

./auditctl -a exit,always -S open
./auditctl -a exit,always -S unlink

So then when you do,

./auditctl -w /etc/passwd -k fk_passwd_f

And then,

cat /etc/passwd

You'll get a record for "passwd".

Then if you added,

./auditctl -w /etc -k fk_etc_d

And then,

cat /etc/passwd

You should get a trail (two records); one for "etc" and one for "passwd"
 
-tim


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]