proposed interface changes for filesystem audit
Amy Griffis
amy.griffis at hp.com
Wed Nov 2 22:11:23 UTC 2005
On Wed, Nov 02, 2005 at 04:22:20PM -0500, Steve Grubb wrote:
> On Wednesday 02 November 2005 16:10, Amy Griffis wrote:
> > auditctl -a exit,always -S all -F path=/home/watchme
>
> Thanks. That helps clarify it for me.
>
> > These two rules would be functionally equivalent, but the first is
> > more convenient:
> >
> > auditctl -a exit,always -S fs-remove -F path=/home/watchme
> > auditctl -a exit,always -S rename -S rmdir -S unlink -F path=/home/watchme
>
> Does your patch change the kernel to accept multiple syscalls in an audit
> rule? Currently, we have 1 syscall per rule.
Yes, 1 syscall per rule has been the typical usage, but the kernel
actually supports multiple syscalls per rule (and possibly has from
the beginning). So, something like this already works today:
auditctl -a exit,always -S rename -S rmdir -S unlink -F inode=1234
Amy
More information about the Linux-audit
mailing list