audit 0.6 release

[David Woodhouse]

On Fri, 2005-01-07 at 11:20 +1100, Leigh Purdie wrote:
> 
> Tom can correct me here, but I suspect that ideally:
> * symlinks and links should be resolved. (even if the file linked to
> no longer actually exists - the final path name should still be
> reported/filtered on). Ideally, access to an symlink will actually
> generate TWO events - one for the symlink (open - read), one for the
> final file (open - as per user requirement).

That's a meaningful statement for symlinks but not for hard links. With
hard links there is no one 'final path name'; they're all just different
names for the same inode. If I hard-link /etc/passwd to /tmp/fish then
both of those are _real_ names for it.

It would be almost impossible to implement a system which is asked to
log 'all access to /etc/*' and includes in that the access to /tmp/fish.

-- 
dwmw2