[RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing
Stephen Smalley
sds at tycho.nsa.gov
Fri Apr 1 14:05:13 UTC 2005
On Thu, 2005-03-31 at 16:46 -0600, Timothy R. Chavez wrote:
> The audit subsystem is currently incapable of auditing a file system object
> based on its location and name. This is critical for auditing well-defined
> and security-relevant files such as /etc/shadow, where auditing on inode and
> device is fallible.
You might want to elaborate slightly on what you mean by "fallible",
e.g. rewriting this sentence to:
This is critical for auditing well-defined and security-relevant
locations like /etc/shadow, where the file is re-created on each
transaction and thus (device, inode)-based filters will not ensure
persistence of auditing across transactions.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list