[RFC][PATCH] (#6) filesystem auditing
Stephen Smalley
sds at tycho.nsa.gov
Wed Mar 16 17:05:46 UTC 2005
On Wed, 2005-03-16 at 10:52 -0600, Timothy R. Chavez wrote:
> Right, the manner in which you get records for watched files / directories is
> by filtering on syscalls that access those watched files / directories. In
> our case we said it was sufficient to audit the following two:
>
> ./auditctl -a exit,always -S open
> ./auditctl -a exit,always -S unlink
Hmmm...at least with vanilla 2.6.11+your patch, this starts immediately
generating audit records for _all_ opens and unlinks that occur on the
system. I assume that isn't what you want.
> So then when you do,
>
> ./auditctl -w /etc/passwd -k fk_passwd_f
I would have expect this to implicitly enable auditing whenever
audit_notify_watch() is called on an inode that has previously been
flagged as requiring auditing by audit_watch(). I wouldn't expect it to
require further rules, and I certainly wouldn't want to have to audit
all opens just to get these records...
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list