patch update to ~51
Steve Grubb
sgrubb at redhat.com
Thu Jun 2 13:55:35 UTC 2005
On Thursday 02 June 2005 09:39, David Woodhouse wrote:
> What you suggest would require a complete redesign, and I don't see a
> way of doing it that would have any chance of being acceptable
> upstream.
I checked. It seems like you cannot set watches on an umounted drive and then
mount it. So, there's no race-free way of setting watches before mounting.
Watches that are set and then the partition is unmounted & mounted survive.
Watches set on a file within a directory that gets renamed are deleted even
though the inode is the same:
[root at endeavor ~]# auditctl -w /mnt/target/etc/passwd -k test -p rwea
No rules
AUDIT_WATCH_LIST: dev=3:9, path=/mnt/target/etc/passwd, filterkey=test,
perms=rwea, valid=0
[root at endeavor ~]# ls -i /mnt/target/etc/passwd
393220 /mnt/target/etc/passwd
[root at endeavor ~]# mv /mnt/target/etc/ /mnt/target/old-etc
[root at endeavor ~]# auditctl -l
No rules
No watches
[root at endeavor ~]# ls -i /mnt/target/old-etc/passwd
393220 /mnt/target/old-etc/passwd
I don't think this is expected behavior and will lead to bug reports. What's a
system admin supposed to do? Take a snapshot of the rules at boot and diff
the current rules with snapshot to see what needs reapplying?
-Steve
More information about the Linux-audit
mailing list