[PATCH 1/7] audit: convert audit watches to use fsnotify instead of inotify
Klaus Heinrich Kiwi
klausk at linux.vnet.ibm.com
Tue Jun 16 16:09:49 UTC 2009
On Tue, 2009-06-16 at 11:43 -0400, Eric Paris wrote:
> Note that audit watches don't use inotify to do any of the actual
> auditing. They just use inotify to discover the watched files were
> created or removed. So we weren't using much of the inotify feature
> set.
Eric,
thanks for the thorough explanation.
It's been a while since I last looked, but the file watches are being
audited at the syscall level, right? So inotify/fsnotify is used to
associate a filename to an inode when the file is created, or to
deassociate when it is removed. Is the rename/mv also covered by those
or differently? I remember that moving a file around doesn't invalidate
it's rule (the file's inode is still the same), but auditctl -l doesn't
follow the name around, for example.
But that's also probably the right thing to do in that case, I'm not
sure.
-Klaus
--
Klaus Heinrich Kiwi <klausk at linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center
More information about the Linux-audit
mailing list