[RFC][PATCH] (#6) filesystem auditing
Stephen Smalley
sds at tycho.nsa.gov
Wed Mar 16 19:05:39 UTC 2005
On Wed, 2005-03-16 at 11:16 -0600, Timothy R. Chavez wrote:
> Alright, let me see what I can do. The advantage to using the syscall is that
> when you assembled the record from its serial numbers, you could see "Ok an
> open() was called on our watched file and failed" -- I didn't really feel
> like there was a better or easier way to express this when I first started
> development.
Compare with the existing syscall filter rules for opening a specific
inode, e.g. even with vanilla 2.6.11, I can do the following:
auditctl -a exit,always -S open -F inode=`ls -i /etc/shadow | awk '{print $1}'`
And then a cat /etc/shadow generates an audit record, whereas opening
other files does not. Note that I should actually be specifying a
(device, inode) pair to avoid ambiguity, but I don't think chrisw's
fixes for the device filters were included in 2.6.11.
Offhand, I don't see why you wouldn't just always set context->auditable
to 1 upon any audit_notify_watch() call on an inode marked as requiring
auditing, but alternatively, you could define a new filter "field"
called "watch" and modify the kernel and auditctl so that if someone
specified:
auditctl -a exit,always -S open -F watch
then the kernel would only generate an audit record if a watched inode
was encountered during processing of an open syscall.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list