[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH 1/2] (#6 U2) filesystem auditing



On Mon, 2005-03-28 at 19:54 -0600, Timothy R. Chavez wrote:
> Hello,
> 
> Here is the patch that implements the filesystem auditing component of the 
> audit subsystem.  For this list, attached as a file /w CHANGELOG.  Patched 
> against linux-2.6.11.5 -- Please note, this is untested in SMP (sorry 
> Stephen, haven't had the time; will do tomorrow).

BTW, trivial test for the shadow file example is:
	auditctl -e 1
	auditctl -w /etc/shadow -p w
	passwd
	<change own password>

I see an audit message for syscall 38 (rename), with two auxiliary items
for shadow (with garbage for the inode= fields, looks like you aren't
setting the ino field upon audit_notify_watch), and two items
for /etc/nshadow and /etc/shadow.  Why two auxiliary items?  Is this due
to the may_delete() notify and the vfs_rename_other() notify both being
triggered upon the rename.  I guess that makes sense.

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]