[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH 1/7] audit: convert audit watches to use fsnotify instead of inotify



On Tue, 2009-06-16 at 11:43 -0400, Eric Paris wrote:
> Note that audit watches don't use inotify to do any of the actual
> auditing.  They just use inotify to discover the watched files were
> created or removed.  So we weren't using much of the inotify feature
> set.

Eric, 

 thanks for the thorough explanation.

It's been a while since I last looked, but the file watches are being
audited at the syscall level, right? So inotify/fsnotify is used to
associate a filename to an inode when the file is created, or to
deassociate when it is removed. Is the rename/mv also covered by those
or differently? I remember that moving a file around doesn't invalidate
it's rule (the file's inode is still the same), but auditctl -l doesn't
follow the name around, for example.

But that's also probably the right thing to do in that case, I'm not
sure.

 -Klaus
-- 
Klaus Heinrich Kiwi <klausk linux vnet ibm com>
Linux Security Development, IBM Linux Technology Center


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]