Re: [RFC][PATCH] (#6 U1) the latest incarnation

Thursday, 24 March 2005

On Thursday 24 March 2005 10:28 am, Stephen Smalley wrote:
...
 Both approaches ensure that an audit record
 is emitted whenever an auditable inode is encountered, but the present
 approach yields two separate audit records (one immediate from your hook
 and one upon syscall exit) vs. a single unified record.  What do we
 want?  What do others think? 
Hmmm...  Here's what I get:

./auditctl -w /audit/foo -k fk_foo
cat /audit/foo

audit(1111683374.383:13808290): name="foo" filterkey=fk_foo perm=0 perm_mask=4 
inode=962899 inode_uid=0 inode_gid=0 inode_dev=03:03 inode_rdev=00:00
audit(1111683374.383:13808290): syscall=5 exit=3 a0=bffff8a3 a1=8000 a2=0 
a3=8000 items=1 pid=31676 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0
audit(1111683374.383:13808290): item=0 name="/audit/foo" inode=962899 
dev=00:00

This seems to be a complete a record.  I add an additional watch:

./auditctl -w /audit -k fk_audit
cat /audit/foo

audit(1111683471.201:13919013): name="audit" filterkey=fk_audit perm=0 
perm_mask=1 inode=960993 inode_uid=0 inode_gid=0 inode_dev=03:03 
inode_rdev=00:00
audit(1111683471.201:13919013): name="foo" filterkey=fk_foo perm=0 perm_mask=4 
inode=962899 inode_uid=0 inode_gid=0 inode_dev=03:03 inode_rdev=00:00
audit(1111683471.201:13919013): syscall=5 exit=3 a0=bffff8a3 a1=8000 a2=0 
a3=8000 items=1 pid=31692 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0
audit(1111683471.201:13919013): item=0 name="/audit/foo" inode=962899 
dev=00:00

-- 
-tim

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [RFC][PATCH] (#6 U1) the latest incarnation