On Monday 28 March 2005 11:29 am, Steve Grubb wrote:
On Monday 28 March 2005 12:05, Timothy R. Chavez wrote:
> Thus you really wouldn't know the location of these watches.
I prefer keeping it simple. Just dump the whole list. This is how the list
rules works. Besides,
Right, but list rules is fundamentally different then the watch list stuff.
Trying to make it "all fit" might make it look rather sloppy and give us
misinformation. Technically speaking, the watches are disseminated all over
an entire filesystem and they appear on different devices and namespaces.
What makes a watch is two part, it's location, and what's at that location.
If we dump back a "global" list simply with the paths we used to add the
watch and we have,
"/usr/this_file_is_watched"..
How do we know this is accurate?
What if we changed the /usr device by mounting over it after we inserted the
watch and we then forgetfully say to ourselves, "Oh we have a watch
at /usr/this_file_is_watched" and then we try to remove it, but to no avail;
the watch doesn't trully exist here (ie: we can't get to it from this path
currently). This information is not trustworthy.
Even if we could do a d_path() on the dentry that holds the watch (this would
require that we save the dentry on the watch), this might not give us ALL the
information we need. I think it's easy enough for the admin to go, "Oh hm, I
wonder if I added a watch here, let me check" -- The down side is if they
wanted the global list of all watches (they can get at):
find / -type d -exec auditctl -L {} ";"
would be the way to do that -- this would take a great ammount of time (but
would be most accurate).
audit -L | grep '^\/tmp'
should get the ones on tmp.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
--
-tim