RE: audit 0.6 release

--- David Woodhouse <dwmw2(a)infradead.org&gt; wrote: There will be times when one will wish to filter on any of - The pathname requested /tmp/symlink_to_passwd - The pathname resolved /tmp/symlink_to_passwd/etc/passwd - One of the other names of the object /tmp/hardlink_to_passwd Erg. That logic implies that you'd want a record for each directory the lookup passes through. Don't think that that has never been seriously considered, BTW. That is correct. In this case what you want to do is - Get the pathname of the object you want to filter on (/etc/passwd) - Fetch the dev/inode information - For each record that comes out look for either the name you requested or the dev/inode pair. - When you see the pathname unlinked you might forget the dev/inode, but since when it was /etc/passwd you cared about it who's to say you don't now, just because it has a different name? - When /etc/passwd is renamed to /etc/opasswd do you want to stop watching it? This could go either way. - When you see the pathname created you refetch the dev/inode Costly, yes. ===== Casey Schaufler casey(a)schaufler-ca.com __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail