--- "Browder, Tom" <Tom.Browder(a)fwb.srs.com> wrote:
An example of a rule I want is to report when user X
tries
unsuccessfully to unlink a specific file.
Just to give you an idea of the magnitude of
what you're asking for:
1. Real UID == X, effective UID == X, logged on
as user X, or providing a remote service on
behalf of user X?
2. Unsuccessflly because he misspelled the path?
3. Do you want to include rename with unlink?
What about unmounting the file system the
file is on?
4. Do you mean the path name "/tmp/foo", or the
inode 86753 on the root file system? What
about symlinks, mount points, and/or pseudo
filesystem redirections?
If the rules are kept in the kernel, how do you
intend to do that? You'll have to check either
every access to the file (assuming you know which
one it is) for unlinks or every unlink to see if
it's the file you're after.
If the audit daemon is going to look for this
event the kernel has to generate any event that
might fit the bill.
I don't want to discourage anyone from putting
a compiler to their shoulder and lending a hand,
but the simple rule suggested is a lot trickier
than it looks. If you haven't read the current
project design it might be a good idea to do so.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250