[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#6) filesystem auditing

On Wed, 2005-03-16 at 11:16 -0600, Timothy R. Chavez wrote:
> Alright, let me see what I can do.  The advantage to using the syscall is that 
> when you assembled the record from its serial numbers, you could see "Ok an 
> open() was called on our watched file and failed" -- I didn't really feel 
> like there was a better or easier way to express this when I first started 
> development.

Compare with the existing syscall filter rules for opening a specific
inode, e.g. even with vanilla 2.6.11, I can do the following:
  auditctl -a exit,always -S open -F inode=`ls -i /etc/shadow | awk '{print $1}'`

And then a cat /etc/shadow generates an audit record, whereas opening
other files does not.  Note that I should actually be specifying a
(device, inode) pair to avoid ambiguity, but I don't think chrisw's
fixes for the device filters were included in 2.6.11.

Offhand, I don't see why you wouldn't just always set context->auditable
to 1 upon any audit_notify_watch() call on an inode marked as requiring
auditing, but alternatively, you could define a new filter "field"
called "watch" and modify the kernel and auditctl so that if someone
  auditctl -a exit,always -S open -F watch
then the kernel would only generate an audit record if a watched inode
was encountered during processing of an open syscall.

Stephen Smalley <sds tycho nsa gov>
National Security Agency

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]