Re: [RFC][PATCH 1/2] (#6 U2) filesystem auditing
On Mon, 2005-03-28 at 19:54 -0600, Timothy R. Chavez wrote:
Hello,
Here is the patch that implements the filesystem auditing component of the
audit subsystem. For this list, attached as a file /w CHANGELOG. Patched
against linux-2.6.11.5 -- Please note, this is untested in SMP (sorry
Stephen, haven't had the time; will do tomorrow).
BTW, trivial test for the shadow file example is:
auditctl -e 1
auditctl -w /etc/shadow -p w
passwd
<change own password>
I see an audit message for syscall 38 (rename), with two auxiliary items
for shadow (with garbage for the inode= fields, looks like you aren't
setting the ino field upon audit_notify_watch), and two items
for /etc/nshadow and /etc/shadow. Why two auxiliary items? Is this due
to the may_delete() notify and the vfs_rename_other() notify both being
triggered upon the rename. I guess that makes sense.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency