Re: what's in the works
On Monday 28 March 2005 12:59 pm, Steve Grubb wrote:
On Monday 28 March 2005 12:55, Timothy R. Chavez wrote:
> The down side is if they wanted the global list of all watches (they can
> get at):
>
> find / -type d -exec auditctl -L {} ";"
>
> would be the way to do that -- this would take a great ammount of time
> (but would be most accurate).
What happened to all those text strings that auditctl sent into the kernel
to setup the watches? Did they get discarded? It seems to me that they
should still be around and on a list of some kind.
Hm? The watch.name we pass into the kernel is a <path> to the watch point.
We use it to walk the filesystem up to the parent of the watch point. The
watch that is added into the filesystem has a watch->name eq "terminating
file/dir name of <path>" -- We can only assume <path> is relevant for
this
walk for the reasons I mentioned in my prior e-mail.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
--
-tim