Re: [RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing
On Friday 01 April 2005 08:05 am, Stephen Smalley wrote:
On Thu, 2005-03-31 at 16:46 -0600, Timothy R. Chavez wrote:
> The audit subsystem is currently incapable of auditing a file system
> object based on its location and name. This is critical for auditing
> well-defined and security-relevant files such as /etc/shadow, where
> auditing on inode and device is fallible.
You might want to elaborate slightly on what you mean by "fallible",
e.g. rewriting this sentence to:
This is critical for auditing well-defined and security-relevant
locations like /etc/shadow, where the file is re-created on each
transaction and thus (device, inode)-based filters will not ensure
persistence of auditing across transactions.
Hm. Ok...
So how about I do this all in one message, cut out the general overview and
hook explanations and save those for discussion? By the time this goes to
fsdevel there should be an audit package in-sync with the RFC patch.
-tim