Re: [RFC][PATCH] (#6) filesystem auditing
On Wed, 2005-03-16 at 10:52 -0600, Timothy R. Chavez wrote:
Right, the manner in which you get records for watched files /
directories is
by filtering on syscalls that access those watched files / directories. In
our case we said it was sufficient to audit the following two:
./auditctl -a exit,always -S open
./auditctl -a exit,always -S unlink
Hmmm...at least with vanilla 2.6.11+your patch, this starts immediately
generating audit records for _all_ opens and unlinks that occur on the
system. I assume that isn't what you want.
So then when you do,
./auditctl -w /etc/passwd -k fk_passwd_f
I would have expect this to implicitly enable auditing whenever
audit_notify_watch() is called on an inode that has previously been
flagged as requiring auditing by audit_watch(). I wouldn't expect it to
require further rules, and I certainly wouldn't want to have to audit
all opens just to get these records...
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency