Re: [RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing

Thursday, 31 March 2005

.:: Introduction ::.

The audit subsystem is currently incapable of auditing a file system object 
based on its location and name.  This is critical for auditing well-defined 
and security-relevant files such as /etc/shadow, where auditing on inode and 
device is fallible.  This patch adds the necessary functionality to the audit 
subsystem and VFS to support file system auditing in which an object is 
audited based on its location and name.

The patch is split in two.

The first patch is the implementation of file system auditing.  The bulk of it 
resides in kernel/auditfs.c.  It is accompanied by a functional overview of 
the design in the next message.

The second patch consists of file system hooks.  I anticipate some discussion 
with regards to them and wanted to provide some context around their 
placements and purpose.

----

There... is that succinct enough?

-tim

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: [RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing