[RFC][PATCH 0/3][REVISED] CAPP-compliant file system auditing
Timothy R. Chavez
tinytim at us.ibm.com
Fri Apr 1 16:47:04 UTC 2005
On Friday 01 April 2005 08:05 am, Stephen Smalley wrote:
> On Thu, 2005-03-31 at 16:46 -0600, Timothy R. Chavez wrote:
> > The audit subsystem is currently incapable of auditing a file system
> > object based on its location and name. This is critical for auditing
> > well-defined and security-relevant files such as /etc/shadow, where
> > auditing on inode and device is fallible.
>
> You might want to elaborate slightly on what you mean by "fallible",
> e.g. rewriting this sentence to:
> This is critical for auditing well-defined and security-relevant
> locations like /etc/shadow, where the file is re-created on each
> transaction and thus (device, inode)-based filters will not ensure
> persistence of auditing across transactions.
Hm. Ok...
So how about I do this all in one message, cut out the general overview and
hook explanations and save those for discussion? By the time this goes to
fsdevel there should be an audit package in-sync with the RFC patch.
-tim
More information about the Linux-audit
mailing list