[RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing
Timothy R. Chavez
tinytim at us.ibm.com
Thu Mar 31 22:46:29 UTC 2005
.:: Introduction ::.
The audit subsystem is currently incapable of auditing a file system object
based on its location and name. This is critical for auditing well-defined
and security-relevant files such as /etc/shadow, where auditing on inode and
device is fallible. This patch adds the necessary functionality to the audit
subsystem and VFS to support file system auditing in which an object is
audited based on its location and name.
The patch is split in two.
The first patch is the implementation of file system auditing. The bulk of it
resides in kernel/auditfs.c. It is accompanied by a functional overview of
the design in the next message.
The second patch consists of file system hooks. I anticipate some discussion
with regards to them and wanted to provide some context around their
placements and purpose.
----
There... is that succinct enough?
-tim
More information about the Linux-audit
mailing list