Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support
On Wed, 26 Jan 2005 23:18:56 -0500, Valdis.Kletnieks(a)vt.edu
<Valdis.Kletnieks(a)vt.edu> wrote:
--
- Timothy R. Chavez
On Tue, 25 Jan 2005 22:28:40 CST, "Timothy R. Chavez"
said:
> Also, when we watch /home/case/viruses/, it's important to note that
> we are not watching anything within viruses/ and that access to
> files/directories within viruses/ do not necessarly "pass through"
> viruses/. So, if we do "cat /home/casey/viruses/deadly37" no audit
> record for "viruses/" would be generated and recorded.
Umm... did you mean the case where 'deadly37' has more than one hard link
to it, and references via "the other path" won't trip?
Nope.
(If it doesn't "pass through", why does 'chmod 0
/home/casey/viruses' do
anything? We do the filesystem perms check, possibly an ACL check if the
filesystem supports them, and even an LSM hook. So how can you go "through"
without getting an audit record?
Unless, I was doing something wrong. When I tested a watch point on
both "/etc" and "passwd". When I issued a "cat /etc/passwd"
only a
record for "passwd" was generated. Then, when I did a "cat /etc", I
received a record for "etc" -- I was only recording open() syscalls,
however.
I didn't look into this behavior too much, but I will. Let me retest
this in the morning with the patch #2 (since the current code is kind
of broken right now *cough*) and send some results.