[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#6) filesystem auditing



On Wednesday 16 March 2005 11:05 am, Stephen Smalley wrote:
<snip>
>
> I would have expect this to implicitly enable auditing whenever
> audit_notify_watch() is called on an inode that has previously been
> flagged as requiring auditing by audit_watch().  I wouldn't expect it to
> require further rules, and I certainly wouldn't want to have to audit
> all opens just to get these records...

Alright, let me see what I can do.  The advantage to using the syscall is that 
when you assembled the record from its serial numbers, you could see "Ok an 
open() was called on our watched file and failed" -- I didn't really feel 
like there was a better or easier way to express this when I first started 
development.

-tim


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]