[RFC][PATCH 1/2] (#6 U2) filesystem auditing
Stephen Smalley
sds at tycho.nsa.gov
Tue Mar 29 16:43:21 UTC 2005
On Mon, 2005-03-28 at 19:54 -0600, Timothy R. Chavez wrote:
> Hello,
>
> Here is the patch that implements the filesystem auditing component of the
> audit subsystem. For this list, attached as a file /w CHANGELOG. Patched
> against linux-2.6.11.5 -- Please note, this is untested in SMP (sorry
> Stephen, haven't had the time; will do tomorrow).
BTW, trivial test for the shadow file example is:
auditctl -e 1
auditctl -w /etc/shadow -p w
passwd
<change own password>
I see an audit message for syscall 38 (rename), with two auxiliary items
for shadow (with garbage for the inode= fields, looks like you aren't
setting the ino field upon audit_notify_watch), and two items
for /etc/nshadow and /etc/shadow. Why two auxiliary items? Is this due
to the may_delete() notify and the vfs_rename_other() notify both being
triggered upon the rename. I guess that makes sense.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list