Re: [RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing
On Thu, 2005-03-31 at 16:46 -0600, Timothy R. Chavez wrote:
The audit subsystem is currently incapable of auditing a file system
object
based on its location and name. This is critical for auditing well-defined
and security-relevant files such as /etc/shadow, where auditing on inode and
device is fallible.
You might want to elaborate slightly on what you mean by "fallible",
e.g. rewriting this sentence to:
This is critical for auditing well-defined and security-relevant
locations like /etc/shadow, where the file is re-created on each
transaction and thus (device, inode)-based filters will not ensure
persistence of auditing across transactions.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency