Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support
On Tue, 25 Jan 2005 22:28:40 CST, "Timothy R. Chavez" said:
Also, when we watch /home/case/viruses/, it's important to note
that
we are not watching anything within viruses/ and that access to
files/directories within viruses/ do not necessarly "pass through"
viruses/. So, if we do "cat /home/casey/viruses/deadly37" no audit
record for "viruses/" would be generated and recorded.
Umm... did you mean the case where 'deadly37' has more than one hard link
to it, and references via "the other path" won't trip?
(If it doesn't "pass through", why does 'chmod 0
/home/casey/viruses' do
anything? We do the filesystem perms check, possibly an ACL check if the
filesystem supports them, and even an LSM hook. So how can you go "through"
without getting an audit record?
Attachments:
- attachment.sig (application/pgp-signature — 226 bytes)