[PATCH] audit: file system auditing based on location and name
Greg KH
greg at kroah.com
Wed Jul 6 17:17:26 UTC 2005
On Wed, Jul 06, 2005 at 11:54:41AM -0500, Timothy R. Chavez wrote:
> To implement this feature we rely on the concepts of a "watch" and
> "watch list". Directories hold lists of "watches" (ie: "watch lists")
> that describe auditable file names one level beneath them. If a file
> holds a pointer into a "watch list" it is auditable. When accessed by
> a system call, information about the inode and its "watches" is added
> to the audit context of the current task (an inode may have multiple
> "watches" if a hard link to a "watched" file is itself being "watched")
> which is sent to user space upon system call exit.
This sounds almost identical to inotify. Is there some way you could
use that instead? If not, you should explain why in your patch
introduction.
thanks,
greg k-h
More information about the Linux-audit
mailing list