[PATCH 0/2] filesystem auditing: augment audit_inode
Amy Griffis
amy.griffis at hp.com
Wed Oct 19 21:11:39 UTC 2005
Hello,
The following two patches augment the collection of inode info during
syscall processing. They represent part of the functionality that was
provided by the auditfs patch included in RHEL4.
Specifically, they:
- Collect information for target inodes created or removed during
syscalls. Previous code only collects information for the target
inode's parent.
- Add the audit_inode() hook to syscalls that operate on a file
descriptor (e.g. fchown), enabling audit to do inode filtering for
these calls.
- Modify filtering code to check audit context for either an inode #
or a parent inode # matching a given rule.
- Modify logging to provide inode # for both parent and child.
- Protect debug info from NULL audit_names.name.
Please let me know if you have any comments. I'll note a concern of
my own in a following email.
I've done a fair amount of testing with these patches, and think it
would be good if we could start providing a test kernel for filesystem
auditing patches. I think this should be separate from an audit-lspp
test kernel.
I based these patches off David's git tree, although the patch against
fsnotify should really be sent to the Inotify developers. Any
thoughts on where these patches should live? Could we have multiple
branches in David's audit git tree?
Thanks,
Amy
More information about the Linux-audit
mailing list