Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support

Thursday, 27 January 2005

On Thu, 2005-01-27 at 09:09, Stephen Smalley wrote:
...
 Possibly I missed earlier discussion of this issue, but I would have
 expected an audit watch to have an associated permission mask (i.e. I
 only want to watch for writes to /etc/passwd, not reads), and have
 audit_notify_watch() only add a entry to the audit context if the audit
 watch mask has a non-zero intersection with the requested permission
 mask.  Otherwise, you will be generating a ton of useless entries. 
I suppose one exception to the above logic is if the mask specified for
the audit watch itself is 0, then you should always add the entry
regardless of the requested permission mask, so that you can audit even
existence tests (i.e. access(path, F_OK)) of the file if desired.  So
legitimate masks might be 0 (audit all accesses, even existence tests)
or any combination of MAY_READ, MAY_WRITE, MAY_EXEC, and MAY_APPEND
(audit only the specified kind of accesses).

-- 
Stephen Smalley <sds(a)epoch.ncsc.mil&gt;
National Security Agency

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support