[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH 3/3] CAPP-compliant file system auditing



On Thu, 2005-03-31 at 12:24 -0600, Timothy R. Chavez wrote:
> :: Tools ::
> 
> To enable the kernel functionality one will need to download the audit-0.6.9 
> source tree (http://people.redhat.com/sgrubb/audit/) and apply the attached 
> patch.  Read the README-install file for installation instructions.  If the 
> audit daemon is not running (also included in this package), then audit 
> records will appear in /var/log/syslog rather then /var/log/audit.log.  Use 
> the "auditctl" tool for inserting, removing, and listing watches.
> 
> Note:  At the time of writing this e-mail the user space / kernel space 
> interaction is not yet complete.  For instance, I'd eventually like to add 
> serialization routines to both spaces to pass "watch" structures more easily.  
> There is also talk about another type of watch listing feature that can list 
> all the watches present in memory.

This one was also line-wrapped, but I fixed it up by hand. After
rebuilding auditctl, I again tried my trusty test case:
	auditctl -e 1
	auditctl -w /etc/shadow -p w -k SHADOW
	passwd

I'm not sure why yet, but I end up with three different inode numbers
involved in the resulting audit messages, two different ones for the two
auxitem records on the shadow watch (which both have name "shadow"), and
a third inode number listed for both /etc/nshadow and /etc/shadow on the
regular item list collected during pathname resolution.  For the watch-
generated ones, I expected the same inode number (since it is a rename
and involves no change); for the regular items, I expected
the /etc/nshadow inode number to correspond with that same inode number
(since it is the file that is renamed to /etc/shadow), with
the /etc/shadow inode number being the original inode number of the old
file.  Seems to bear investigation...  

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]