Re: best way to audit in vfs
On Wed, 2004-12-15 at 17:03 +0000, Timothy R. Chavez wrote:
> .. just hook permission(9) rather than the individual vfs_*
functions.
That seems like a pretty good idea since all the information about the
syscall will be covered else where, all we really need is a place
where we have the inode and access to its audit data.
Are there any objections with this approach?
Does this approach still allow us to cover the example of failed file-
opens (no such file or dir), where an inode does not exist, but the
administrator wants an indication that the attempt was made?
eg: normal user$ echo "+ + someuser" > /etc/hosts.equiv
bash: /etc/hosts.equiv: No such file or directory
In general, two (or more) audit events could be generated here:
* Permission denied on create file, in /etc (which would be covered by
the permission() inode), and
* User attempted to WRITE to /etc/hosts.equiv, and failed.
Leigh.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/