On Fri, 2005-01-07 at 11:20 +1100, Leigh Purdie wrote:
Tom can correct me here, but I suspect that ideally:
* symlinks and links should be resolved. (even if the file linked to
no longer actually exists - the final path name should still be
reported/filtered on). Ideally, access to an symlink will actually
generate TWO events - one for the symlink (open - read), one for the
final file (open - as per user requirement).
That's a meaningful statement for symlinks but not for hard links. With
hard links there is no one 'final path name'; they're all just different
names for the same inode. If I hard-link /etc/passwd to /tmp/fish then
both of those are _real_ names for it.
It would be almost impossible to implement a system which is asked to
log 'all access to /etc/*' and includes in that the access to /tmp/fish.
--
dwmw2