path-based filesystem watch limitation
Amy Griffis
amy.griffis at hp.com
Tue Aug 16 16:52:56 UTC 2005
Hello,
I've been taking a look at the auditfs code in U2, and I've noticed an
issue with the path-based watching. In U2, the path-based watching
code only keeps tabs on the parent of given user watch, instead of
watching the entire path back to the filesystem root.
This means that if a path component beyond the user watch's parent
changes, the recreation of the object at the watched path will not be
caught. Any subsequent events on the object at the watched path will
also not be caught.
For example:
# auditctl -w /one/two/three/four
# mkdir -p /one/two/three
# :> /one/two/three/four
# echo "hello world" > /one/two/three/four
<audit records generated>
# mv /one/two /one/too
# mkdir -p /one/two/three
# :> /one/two/three/four
# echo "hello world" > /one/two/three/four
<no audit records generated>
Is this a known limitation?
Amy
More information about the Linux-audit
mailing list