Re: [RFC][PATCH] (#6) filesystem auditing
On Wed, 2005-03-16 at 11:16 -0600, Timothy R. Chavez wrote:
Alright, let me see what I can do. The advantage to using the
syscall is that
when you assembled the record from its serial numbers, you could see "Ok an
open() was called on our watched file and failed" -- I didn't really feel
like there was a better or easier way to express this when I first started
development.
Compare with the existing syscall filter rules for opening a specific
inode, e.g. even with vanilla 2.6.11, I can do the following:
auditctl -a exit,always -S open -F inode=`ls -i /etc/shadow | awk '{print $1}'`
And then a cat /etc/shadow generates an audit record, whereas opening
other files does not. Note that I should actually be specifying a
(device, inode) pair to avoid ambiguity, but I don't think chrisw's
fixes for the device filters were included in 2.6.11.
Offhand, I don't see why you wouldn't just always set context->auditable
to 1 upon any audit_notify_watch() call on an inode marked as requiring
auditing, but alternatively, you could define a new filter "field"
called "watch" and modify the kernel and auditctl so that if someone
specified:
auditctl -a exit,always -S open -F watch
then the kernel would only generate an audit record if a watched inode
was encountered during processing of an open syscall.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency