.56 kernel FS_WATCH records
Steve Grubb
sgrubb at redhat.com
Tue Jun 7 18:06:24 UTC 2005
Hi,
Testing with the .56 kernel. I did a watch on a file and then did a move:
type=PATH msg=audit(06/07/05 13:54:22.683:3988791) : item=1
name=/mnt/target/etc/passwd.old inode=393217 dev=03:09 mode=dir,755 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(06/07/05 13:54:22.683:3988791) : item=0
name=/mnt/target/etc/passwd inode=393217 dev=03:09 mode=dir,755 ouid=root
ogid=root rdev=00:00
type=CWD msg=audit(06/07/05 13:54:22.683:3988791) : cwd=/home/sgrubb
type=FS_WATCH msg=audit(06/07/05 13:54:22.683:3988791) : inode=393220
inode_uid=root inode_gid=root inode_dev=03:09 inode_rdev=00:00
type=FS_WATCH msg=audit(06/07/05 13:54:22.683:3988791) : watch_inode=393220
watch=passwd filterkey=test perm=read,write,exec,append perm_mask=write
type=SYSCALL msg=audit(06/07/05 13:54:22.683:3988791) : arch=i386
syscall=rename success=yes exit=0 a0=bfff3be6 a1=bfff3bfd a2=80562a4
a3=bffeea30 items=2 pid=4137 auid=sgrubb uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root comm=mv exe=/bin/mv
Why does FS_WATCH have 2 formats? Both are the same type and have totally
different name/value pairs. This messes up parsing. If they represent 2
different pieces of information, they have to have 2 different message types.
Besides, why are they split like this? They weren't like this last week. This
introduces another 46 byte overhead to diskspace consumption for each record.
Also, in the path record, it is a file - not a dir. The permissions are wrong
as well. sb 0644.
-Steve
More information about the Linux-audit
mailing list