[RFC][PATCH] (#6) filesystem auditing
Timothy R. Chavez
tinytim at us.ibm.com
Wed Mar 16 17:16:28 UTC 2005
On Wednesday 16 March 2005 11:05 am, Stephen Smalley wrote:
<snip>
>
> I would have expect this to implicitly enable auditing whenever
> audit_notify_watch() is called on an inode that has previously been
> flagged as requiring auditing by audit_watch(). I wouldn't expect it to
> require further rules, and I certainly wouldn't want to have to audit
> all opens just to get these records...
Alright, let me see what I can do. The advantage to using the syscall is that
when you assembled the record from its serial numbers, you could see "Ok an
open() was called on our watched file and failed" -- I didn't really feel
like there was a better or easier way to express this when I first started
development.
-tim
More information about the Linux-audit
mailing list