[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Stephen Smalley
sds at epoch.ncsc.mil
Thu Jan 27 14:09:25 UTC 2005
On Tue, 2005-01-25 at 01:22, Timothy R. Chavez wrote:
> Alright,
>
> Once again, thank you to Serge, Chris, and David for all the insight.
> Here's the latest patch incorporating many of the changes you all
> suggested. There are still some things missing and not fully tested
> (for instance, the locking).
>
> TODO:
>
> * Make filesystem auditing enabled/disabled at runtime
> * Re-add comments with proper DocBook formatting
> * Remove Makefile changes
> * Move struct audit_file to a slab cache
>
> Am I forgetting something? (Soooo tired ;-))
>
> I'd appreciate any and all comments / feedback. Thank you.
Possibly I missed earlier discussion of this issue, but I would have
expected an audit watch to have an associated permission mask (i.e. I
only want to watch for writes to /etc/passwd, not reads), and have
audit_notify_watch() only add a entry to the audit context if the audit
watch mask has a non-zero intersection with the requested permission
mask. Otherwise, you will be generating a ton of useless entries.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the Linux-audit
mailing list