path-based filesystem watch limitation
Timothy R. Chavez
tinytim at us.ibm.com
Tue Aug 16 21:18:00 UTC 2005
On Tuesday 16 August 2005 16:09, Timothy R. Chavez wrote:
> On Tuesday 16 August 2005 11:52, Amy Griffis wrote:
> > Hello,
> >
> > I've been taking a look at the auditfs code in U2, and I've noticed an
> > issue with the path-based watching. In U2, the path-based watching
> > code only keeps tabs on the parent of given user watch, instead of
> > watching the entire path back to the filesystem root.
> >
> > This means that if a path component beyond the user watch's parent
> > changes, the recreation of the object at the watched path will not be
> > caught. Any subsequent events on the object at the watched path will
> > also not be caught.
> >
> > For example:
> >
> > # auditctl -w /one/two/three/four
> > # mkdir -p /one/two/three
> > # :> /one/two/three/four
> > # echo "hello world" > /one/two/three/four
> >
> > <audit records generated>
> >
> > # mv /one/two /one/too
> > # mkdir -p /one/two/three
> > # :> /one/two/three/four
> > # echo "hello world" > /one/two/three/four
> >
> > <no audit records generated>
> >
> > Is this a known limitation?
>
> It is known. In a CAPP environment, this sort of trickery will not come up.
> To do what you want to do, the logic would get extremely complicated and
> perhaps one day it'll be doable (upstream). Because we're storing the
> information _in_ the file system we're limited on how much state we can
> keep.
>
> The original way we had planned on doing the logic was frowned upon
> because it required a persisent (and potentially sizeable) map of a file
> system depicting where all the watched locations are (and I believe
> there were some namespace issues as well). This way each component
> of the watched path in the actual file system could be mapped all the way
> up to the root directory.
Er... and provide a mechanism to keep state such that a watched location
is always watched when it exists regardless of any "inbetween" activity
that breaks the watched path and then reconstructs it.
-tim
>
> -tim
>
> >
> > Amy
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > http://www.redhat.com/mailman/listinfo/linux-audit
> >
> >
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
>
>
More information about the Linux-audit
mailing list