.56 kernel FS_WATCH records
Timothy R. Chavez
tinytim at us.ibm.com
Tue Jun 7 19:59:31 UTC 2005
On Tuesday 07 June 2005 13:15, Loulwa Salem wrote:
> Steve Grubb wrote:
> > Hi,
> >
> > Testing with the .56 kernel. I did a watch on a file and then did a move:
> ... snip ...
> > Why does FS_WATCH have 2 formats? Both are the same type and have totally
> > different name/value pairs. This messes up parsing. If they represent 2
> > different pieces of information, they have to have 2 different message types.
> >
> > Besides, why are they split like this? They weren't like this last week. This
> > introduces another 46 byte overhead to diskspace consumption for each record.
> >
> > Also, in the path record, it is a file - not a dir. The permissions are wrong
> > as well. sb 0644.
> >
> > -Steve
> >
> I definitely agree with Steve ... having two different FS_WATCH records
> will also break our parsing mechanism.
> I think from a test perspective, I would prefer concatenating the
> records the way they were before rather than creating another type.
> Having a different type will also cause a headache in our parse and
> verify functions.
>
Well they can change to whatever they need to be. I was just trying to
illustrate watches per inode per record... if someone proposes a better
format we'll go ahead and patch that. Preferably Loulwa since this is
most sensitive to her.
-tim
> - Loulwa
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
>
>
More information about the Linux-audit
mailing list