[RFC][PATCH] (#6) filesystem auditing
Timothy R. Chavez
tinytim at us.ibm.com
Wed Mar 16 16:52:47 UTC 2005
On Tuesday 15 March 2005 03:01 pm, Stephen Smalley wrote:
> On Tue, 2005-03-15 at 15:48 -0500, Stephen Smalley wrote:
> > Hmmm...how is this supposed to work? audit_log_exit() isn't called
> > unless context->auditable is set. Should audit_notify_watch() be
> > setting context->auditable when adding a file to the wtrail so that it
> > will be processed upon syscall exit? Otherwise, you need some other
> > filter to enable the auditable flag separate from your watch, right?
>
> Note btw that since SELinux does immediate generation of audit messages
> via audit_log* from its hooks, this automatically enables the auditable
> flag (since audit_log_start calls audit_get_stamp, and audit_get_stamp
> enables the auditable flag). That is why further audit records are
> written at syscall exit whenever SELinux emits an audit message from a
> hook. But in your case, as you are just adding data to a list from your
> hook, you need to separately enable the auditable flag in some manner.
Right, the manner in which you get records for watched files / directories is
by filtering on syscalls that access those watched files / directories. In
our case we said it was sufficient to audit the following two:
./auditctl -a exit,always -S open
./auditctl -a exit,always -S unlink
So then when you do,
./auditctl -w /etc/passwd -k fk_passwd_f
And then,
cat /etc/passwd
You'll get a record for "passwd".
Then if you added,
./auditctl -w /etc -k fk_etc_d
And then,
cat /etc/passwd
You should get a trail (two records); one for "etc" and one for "passwd"
-tim
More information about the Linux-audit
mailing list