[RFC][PATCH] (#6 U1) the latest incarnation
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 25 17:15:41 UTC 2005
On Fri, 2005-03-25 at 12:05 -0500, Stephen Smalley wrote:
> We are only talking about post hooks to generate audit messages via
> audit_notify_watch() if the inode has previously been marked by
> audit_attach_watch(). Given your other hooks, it should already be
> possible to audit reads and writes to device nodes (since a watch should
> be possible to attach using your existing hooks in
> d_instantiate/d_splice_alias and notifications should be generated using
> your hook in permission), so why not allow auditing of creates as well?
> Given that udev makes /dev dynamic, it seems like watches might be
> important there as well, eh?
As a trivial test of the ability to audit reads and writes to device
nodes already, I did:
auditctl -w /dev/null
and then did:
echo hello > /dev/null
As expected, this generated an audit record.
Hence, while it may be fine to omit symlinks, I see no reason to not
include an audit_notify_watch call at the end of vfs_mknod that allows
you to generate an audit record for device creations based on name, as
you can already attach watches to device nodes and generate audit for
opens on them.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list