[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#6) filesystem auditing



On Wed, 2005-03-16 at 10:52 -0600, Timothy R. Chavez wrote:
> Right, the manner in which you get records for watched files / directories is 
> by filtering on syscalls that access those watched files / directories.  In 
> our case we said it was sufficient to audit the following two:
> 
> ./auditctl -a exit,always -S open
> ./auditctl -a exit,always -S unlink

Hmmm...at least with vanilla 2.6.11+your patch, this starts immediately
generating audit records for _all_ opens and unlinks that occur on the
system.  I assume that isn't what you want.

> So then when you do,
> 
> ./auditctl -w /etc/passwd -k fk_passwd_f

I would have expect this to implicitly enable auditing whenever
audit_notify_watch() is called on an inode that has previously been
flagged as requiring auditing by audit_watch().  I wouldn't expect it to
require further rules, and I certainly wouldn't want to have to audit
all opens just to get these records...

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]