Re: [RFC][PATCH] (#6) filesystem auditing
On Wednesday 16 March 2005 11:05 am, Stephen Smalley wrote:
<snip>
I would have expect this to implicitly enable auditing whenever
audit_notify_watch() is called on an inode that has previously been
flagged as requiring auditing by audit_watch(). I wouldn't expect it to
require further rules, and I certainly wouldn't want to have to audit
all opens just to get these records...
Alright, let me see what I can do. The advantage to using the syscall is that
when you assembled the record from its serial numbers, you could see "Ok an
open() was called on our watched file and failed" -- I didn't really feel
like there was a better or easier way to express this when I first started
development.
-tim