best way to audit in vfs
Leigh Purdie
Leigh.Purdie at intersectalliance.com
Wed Dec 15 20:45:00 UTC 2004
On Wed, 2004-12-15 at 17:03 +0000, Timothy R. Chavez wrote:
> > .. just hook permission(9) rather than the individual vfs_* functions.
>
> That seems like a pretty good idea since all the information about the
> syscall will be covered else where, all we really need is a place
> where we have the inode and access to its audit data.
>
> Are there any objections with this approach?
Does this approach still allow us to cover the example of failed file-
opens (no such file or dir), where an inode does not exist, but the
administrator wants an indication that the attempt was made?
eg: normal user$ echo "+ + someuser" > /etc/hosts.equiv
bash: /etc/hosts.equiv: No such file or directory
In general, two (or more) audit events could be generated here:
* Permission denied on create file, in /etc (which would be covered by
the permission() inode), and
* User attempted to WRITE to /etc/hosts.equiv, and failed.
Leigh.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
More information about the Linux-audit
mailing list