[RFC] upstreaming audit filesystem pieces
Timothy R. Chavez
tinytim at us.ibm.com
Tue Aug 23 20:50:39 UTC 2005
On Tuesday 23 August 2005 15:49, Chris Wright wrote:
> * Amy Griffis (amy.griffis at hp.com) wrote:
> > Suggested Approach
> > ------------------
> > The plan proposed several weeks ago was to write a general filesystem
> > event notification component for the kernel, based on the current
> > auditfs patch. I think this is a mistake for several reasons.
>
> I agree, inofity is already there, and makes sense as basis moving
> forward.
>
> <snip>
> > In order for audit to use Inotify, Inotify would need to provide:
> >
> > - An Inotify kernel API.
> >
> > - A pointer to the relevant inode struct when a filesystem event
> > occurs.
> >
> > - The ability to begin watching a file at the moment of creation.
> > Currently audit is pre-notified, via dcache hooks, when a file is
> > created, moved, or deleted. This allows audit to enable or disable
> > a watch on the appropriate inode. Audit would need a similar
> > pre-notification, or preferably the ability to add (and possibly
> > remove) watches from an Inotify event callback.
>
> Inotify has a couple new dcache hooks, (iirc it's for delete), did you
> look at those yet?
I'm happy to go with this approach. I'm ending some other work and by
Thursday should be ready to devote a lot more time to the it. This is a
good start, well organized. Thanks.
-tim
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
>
>
More information about the Linux-audit
mailing list