Re: [RFC][PATCH 3/3] (#7U1) file system auditing
On Sat, 23 Apr 2005 01:04:52 -0000, "Timothy R. Chavez" said:
I think for symmetry's sake, that makes sense. But doing a
"delete all" in
the kernel has these advantages:
1. All watches can be deleted. This might not be true in user space. If the
path is invalid (ie: a namespace has changed or the path has become otherwise
inaccessible), you won't be able to delete the watch.
What should actually appear in the audit stream if this case happens? Do we
log enough info that the admin has a fighting chance of figuring out what happened
even in the face of chroot or mount --bind or other similar things?
Attachments:
- attachment.sig (application/pgp-signature — 226 bytes)