best way to audit in vfs
Chris Wright
chrisw at osdl.org
Tue Dec 14 22:49:37 UTC 2004
* Timothy R. Chavez (chavezt at gmail.com) wrote:
> I think its reasonable enough to keep it virtual. The added benefit
> to doing it this way is we no longer need the mapnode data structure.
> We assume that all files and directories to be audited complete paths
> that already exist in the file system. Because we're storing
> information on the parent node, the file or directory to be audited
> does not have to exist, but when it does exist, it will get audited.
> If the parent directory is destroyed and then recreated, there's no
> way to for it to regain knowledge of what its suppose to be watching
> or if its on the path to something that needs to be watched. There
> are disadvantages to not supporting this, but for simplicities sake,
> someone could simply restart auditd or whatever to remap the changes.
Each process has a namespace (potentially private). So /etc/sensitive
may not be the same file in each namespace.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list