Re: [RFC][PATCH] (#6) filesystem auditing
On Tue, 2005-03-15 at 14:42 -0500, Stephen Smalley wrote:
Ok, why doesn't the following trigger any audit messages:
# ./auditctl -w /etc/shadow
AUDIT_WATCH : INSERT : SUCCESS
$ passwd
Changing password for user sds.
Changing password for sds
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
/etc/shadow was re-created by this transaction.
I did see debugging messages about pushing and popping data on the cache stack.
Hmmm...how is this supposed to work? audit_log_exit() isn't called
unless context->auditable is set. Should audit_notify_watch() be
setting context->auditable when adding a file to the wtrail so that it
will be processed upon syscall exit? Otherwise, you need some other
filter to enable the auditable flag separate from your watch, right?
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency