[RFC][PATCH] (#6 U1) the latest incarnation
Timothy R. Chavez
tinytim at us.ibm.com
Thu Mar 24 17:00:10 UTC 2005
On Thursday 24 March 2005 10:28 am, Stephen Smalley wrote:
> Both approaches ensure that an audit record
> is emitted whenever an auditable inode is encountered, but the present
> approach yields two separate audit records (one immediate from your hook
> and one upon syscall exit) vs. a single unified record. What do we
> want? What do others think?
Hmmm... Here's what I get:
./auditctl -w /audit/foo -k fk_foo
cat /audit/foo
audit(1111683374.383:13808290): name="foo" filterkey=fk_foo perm=0 perm_mask=4
inode=962899 inode_uid=0 inode_gid=0 inode_dev=03:03 inode_rdev=00:00
audit(1111683374.383:13808290): syscall=5 exit=3 a0=bffff8a3 a1=8000 a2=0
a3=8000 items=1 pid=31676 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0
audit(1111683374.383:13808290): item=0 name="/audit/foo" inode=962899
dev=00:00
This seems to be a complete a record. I add an additional watch:
./auditctl -w /audit -k fk_audit
cat /audit/foo
audit(1111683471.201:13919013): name="audit" filterkey=fk_audit perm=0
perm_mask=1 inode=960993 inode_uid=0 inode_gid=0 inode_dev=03:03
inode_rdev=00:00
audit(1111683471.201:13919013): name="foo" filterkey=fk_foo perm=0 perm_mask=4
inode=962899 inode_uid=0 inode_gid=0 inode_dev=03:03 inode_rdev=00:00
audit(1111683471.201:13919013): syscall=5 exit=3 a0=bffff8a3 a1=8000 a2=0
a3=8000 items=1 pid=31692 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0
audit(1111683471.201:13919013): item=0 name="/audit/foo" inode=962899
dev=00:00
--
-tim
More information about the Linux-audit
mailing list