Re: best way to audit in vfs
* Timothy R. Chavez (chavezt(a)gmail.com) wrote:
I think its reasonable enough to keep it virtual. The added benefit
to doing it this way is we no longer need the mapnode data structure.
We assume that all files and directories to be audited complete paths
that already exist in the file system. Because we're storing
information on the parent node, the file or directory to be audited
does not have to exist, but when it does exist, it will get audited.
If the parent directory is destroyed and then recreated, there's no
way to for it to regain knowledge of what its suppose to be watching
or if its on the path to something that needs to be watched. There
are disadvantages to not supporting this, but for simplicities sake,
someone could simply restart auditd or whatever to remap the changes.
Each process has a namespace (potentially private). So /etc/sensitive
may not be the same file in each namespace.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net