[RFC][PATCH] (#6) filesystem auditing
Stephen Smalley
sds at tycho.nsa.gov
Tue Mar 15 20:48:00 UTC 2005
On Tue, 2005-03-15 at 14:42 -0500, Stephen Smalley wrote:
> Ok, why doesn't the following trigger any audit messages:
>
> # ./auditctl -w /etc/shadow
> AUDIT_WATCH : INSERT : SUCCESS
>
> $ passwd
> Changing password for user sds.
> Changing password for sds
> (current) UNIX password:
> New UNIX password:
> Retype new UNIX password:
> passwd: all authentication tokens updated successfully.
>
> /etc/shadow was re-created by this transaction.
>
> I did see debugging messages about pushing and popping data on the cache stack.
Hmmm...how is this supposed to work? audit_log_exit() isn't called
unless context->auditable is set. Should audit_notify_watch() be
setting context->auditable when adding a file to the wtrail so that it
will be processed upon syscall exit? Otherwise, you need some other
filter to enable the auditable flag separate from your watch, right?
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list