[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: proposed interface changes for filesystem audit



On Wed, Nov 02, 2005 at 02:58:20PM -0500, Steve Grubb wrote:
> On Wednesday 02 November 2005 14:40, Amy Griffis wrote:
> > (2) A set of filesystem-related aliases for groups of system calls.
> > ? ? Currently, one alias "all" is provided that maps to the full set
> > ? ? of system calls on a given arch.
> 
> Could you show a full auditctl example of this alias?

auditctl -a exit,always -S all -F path=/home/watchme

With the result being that all bits are set in audit_rule.mask.

> > ? ? Here are some examples of other aliases that could be provided:
> >
> > ? ? fs-create: ?creat,link,mkdir,mknod,open,rename,symlink
> > ? ? fs-remove: ?rename,rmdir,unlink
> > ? ? fs-attr: ? ?chmod,chown,fchmod,fchown,fremovexattr,fsetxattr,lchown,
> > ? ? ? ? ? ? ? ?
> > lremovexattr,lsetxattr,removexattr,setxattr,truncate,utime(s) fs-all: ? ?
> > all filesystem-related syscalls
> 
> And one or two of these?

These two rules would be functionally equivalent, but the first is
more convenient:

auditctl -a exit,always -S fs-remove -F path=/home/watchme
auditctl -a exit,always -S rename -S rmdir -S unlink -F path=/home/watchme

> > (3) If backward compatibility with the -w,-W, and -p options is
> > ? ? desired, 
> 
> Yes, it is for now.
> 
> Thanks,
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]