path-based filesystem watch limitation
Timothy R. Chavez
tinytim at us.ibm.com
Tue Aug 16 21:09:19 UTC 2005
On Tuesday 16 August 2005 11:52, Amy Griffis wrote:
> Hello,
>
> I've been taking a look at the auditfs code in U2, and I've noticed an
> issue with the path-based watching. In U2, the path-based watching
> code only keeps tabs on the parent of given user watch, instead of
> watching the entire path back to the filesystem root.
>
> This means that if a path component beyond the user watch's parent
> changes, the recreation of the object at the watched path will not be
> caught. Any subsequent events on the object at the watched path will
> also not be caught.
>
> For example:
>
> # auditctl -w /one/two/three/four
> # mkdir -p /one/two/three
> # :> /one/two/three/four
> # echo "hello world" > /one/two/three/four
>
> <audit records generated>
>
> # mv /one/two /one/too
> # mkdir -p /one/two/three
> # :> /one/two/three/four
> # echo "hello world" > /one/two/three/four
>
> <no audit records generated>
>
> Is this a known limitation?
It is known. In a CAPP environment, this sort of trickery will not come up.
To do what you want to do, the logic would get extremely complicated and
perhaps one day it'll be doable (upstream). Because we're storing the
information _in_ the file system we're limited on how much state we can
keep.
The original way we had planned on doing the logic was frowned upon
because it required a persisent (and potentially sizeable) map of a file
system depicting where all the watched locations are (and I believe
there were some namespace issues as well). This way each component
of the watched path in the actual file system could be mapped all the way
up to the root directory.
-tim
>
> Amy
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
>
>
More information about the Linux-audit
mailing list