[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Casey Schaufler
casey at schaufler-ca.com
Tue Jan 25 17:40:00 UTC 2005
--- "Timothy R. Chavez" <chavezt at gmail.com> wrote:
> I'd appreciate any and all comments / feedback.
Not bad. Couple of comments/questions:
> + /* The root directory cannot be watched */
> + if (!strcmp(path, "/")) {
> + ret = -EPERM;
> + goto audit_remove_watch_exit;
What are the implications regarding a chroot
environment? I can imagine (although it strikes
me as somewhat insane) an admin wanting to audit
everything that goes on in a chroot environment,
say for a honeypot. The watching would have to
be enabled from outside. Not a bad thing, but is
it what you want?
> +/* The structure that stores information about
files/directories being
> + * watched in the filesystem, that the syscall
accessed.
> + */
> +
> +struct audit_file {
> + struct audit_watch *watch;
> + struct list_head list;
> + unsigned long ino;
> + umode_t mode;
> + uid_t uid;
> + gid_t gid;
> + dev_t rdev;
> + int mask;
> +};
Where does one put the ACL, MAC label, and/or
capability set of the file? I may not be able
to go get it later, as it may change or worse,
the file might be gone by then.
=====
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
More information about the Linux-audit
mailing list