Re: proposed interface changes for filesystem audit
On Wed, Nov 02, 2005 at 02:58:20PM -0500, Steve Grubb wrote:
On Wednesday 02 November 2005 14:40, Amy Griffis wrote:
> (2) A set of filesystem-related aliases for groups of system calls.
> ? ? Currently, one alias "all" is provided that maps to the full set
> ? ? of system calls on a given arch.
Could you show a full auditctl example of this alias?
auditctl -a exit,always -S all -F path=/home/watchme
With the result being that all bits are set in audit_rule.mask.
> ? ? Here are some examples of other aliases that could be
provided:
>
> ? ? fs-create: ?creat,link,mkdir,mknod,open,rename,symlink
> ? ? fs-remove: ?rename,rmdir,unlink
> ? ? fs-attr: ? ?chmod,chown,fchmod,fchown,fremovexattr,fsetxattr,lchown,
> ? ? ? ? ? ? ? ?
> lremovexattr,lsetxattr,removexattr,setxattr,truncate,utime(s) fs-all: ? ?
> all filesystem-related syscalls
And one or two of these?
These two rules would be functionally equivalent, but the first is
more convenient:
auditctl -a exit,always -S fs-remove -F path=/home/watchme
auditctl -a exit,always -S rename -S rmdir -S unlink -F path=/home/watchme
> (3) If backward compatibility with the -w,-W, and -p options is
> ? ? desired,
Yes, it is for now.
Thanks,
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit