[RFC][PATCH] (#6 U1) the latest incarnation
Stephen Smalley
sds at tycho.nsa.gov
Thu Mar 24 19:32:25 UTC 2005
On Thu, 2005-03-24 at 14:23 -0500, Stephen Smalley wrote:
> Then I start to see some audit messages during passwd, but I shouldn't
> have to request read access auditing in order to see modifications
> (especially as that will generate a lot more data, e.g. upon every
> authentication program's use of /etc/shadow).
Ok, I see what is happening. You call audit_attach_watch() from d_move,
but you will never hit an audit_notify_watch(), hence no audit data upon
renames until a subsequent write to the existing file (which never
happens for /etc/shadow, as it is always re-created and renamed for each
transaction). So a natural question is what else should be calling
audit_notify_watch besides permission, exec_permission_lite, and
may_delete? d_move? may_create?
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list