Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support
On Tue, 2005-01-25 at 01:22, Timothy R. Chavez wrote:
Alright,
Once again, thank you to Serge, Chris, and David for all the insight.
Here's the latest patch incorporating many of the changes you all
suggested. There are still some things missing and not fully tested
(for instance, the locking).
TODO:
* Make filesystem auditing enabled/disabled at runtime
* Re-add comments with proper DocBook formatting
* Remove Makefile changes
* Move struct audit_file to a slab cache
Am I forgetting something? (Soooo tired ;-))
I'd appreciate any and all comments / feedback. Thank you.
Possibly I missed earlier discussion of this issue, but I would have
expected an audit watch to have an associated permission mask (i.e. I
only want to watch for writes to /etc/passwd, not reads), and have
audit_notify_watch() only add a entry to the audit context if the audit
watch mask has a non-zero intersection with the requested permission
mask. Otherwise, you will be generating a ton of useless entries.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency