[RFC][PATCH 2/2] (#6 U2) filesystem auditing
Steve Grubb
sgrubb at redhat.com
Tue Mar 29 14:50:11 UTC 2005
On Monday 28 March 2005 20:55, Timothy R. Chavez wrote:
> -> Added support for watch listing in auditctl
I'm happy we have something. However, we never finished the discussion from
yesterday. I don't think you should have to pass a path to list the watches.
Let's just walk the watch list and dump the strings. Maybe what you are
thinking of is a watch status command? Pass a path and it tells you what
device and namespace its bound to. But I'm just guessing since we need to
finish the questions I posed yesterday:
1) Can you explicitly state the namespace or device when you load a watch?
2) Does the device and namespace get implicitly bound to the path by virtue
of who loaded the watch and the mount table that in effect at the time the
rule was loaded?
3) Does the watch work for all name spaces and devices?
These topics need to be documented for the man page.
> + Changed types in libaudit to be identical to the types of audit_watch in
> audit.h
I'll readjust the types to userspace types. __u32 is kernel. uint32_t is
userspace.
Thanks,
-Steve
More information about the Linux-audit
mailing list