File system audit loses watches
Klaus Weidner
klaus at atsec.com
Wed Jun 8 20:59:23 UTC 2005
On Tue, Jun 07, 2005 at 04:42:18PM -0400, Steve Grubb wrote:
> On Tuesday 07 June 2005 16:34, David Woodhouse wrote:
> > Same answer as last time you asked the question. The rule is tied to the
> > directory, and when the directory goes away the watch does too.
>
> I asked again because we still have a problem. If the configuration changes, I
> think there has to be a CONFIG_CHANGED record.
I'm not happy with the "silently" part, but I don't see a fundamental
problem with having the kernel delete watches. I think the audit watches
are basically a kind of filesystem metadata that supports the real audit
configuration.
The behavior should be clearly documented, but I don't think it's a
problem since deleting directories isn't something that happens as part
of normal use.
Steve mentioned that it would be easy to create audit records when the
kernel deletes watches. Listing the exact watch would be nice but I
wouldn't consider it to be essential. Maybe the message should be
something like "The kernel removed a watch on a deleted directory", with
the implication that admins need to reload the audit rules if necessary.
Auditing rmdir(2) would help track what happened.
-Klaus
More information about the Linux-audit
mailing list