what's in the works

[Timothy R. Chavez]

On Monday 28 March 2005 11:29 am, Steve Grubb wrote:
> On Monday 28 March 2005 12:05, Timothy R. Chavez wrote:
> > Thus you really wouldn't know the location of these watches.
>
> I prefer keeping it simple. Just dump the whole list. This is how the list
> rules works. Besides,

Right, but list rules is fundamentally different then the watch list stuff.  
Trying to make it "all fit" might make it look rather sloppy and give us 
misinformation.  Technically speaking, the watches are disseminated all over 
an entire filesystem and they appear on different devices and namespaces.  
What makes a watch is two part, it's location, and what's at that location.  
If we dump back a "global" list simply with the paths we used to add the 
watch and we have,

"/usr/this_file_is_watched"..

How do we know this is accurate?  

What if we changed the /usr device by mounting over it after we inserted the 
watch and we then forgetfully say to ourselves, "Oh we have a watch 
at /usr/this_file_is_watched" and then we try to remove it, but to no avail; 
the watch doesn't trully exist here (ie: we can't get to it from this path 
currently).  This information is not trustworthy.

Even if we could do a d_path() on the dentry that holds the watch (this would 
require that we save the dentry on the watch), this might not give us ALL the 
information we need.  I think it's easy enough for the admin to go, "Oh hm, I 
wonder if I added a watch here, let me check" -- The down side is if they 
wanted the global list of all watches (they can get at):

find / -type d -exec auditctl -L {} ";"

would be the way to do that -- this would take a great ammount of time (but 
would be most accurate).

>
> audit -L | grep '^\/tmp'
>
> should get the ones on tmp.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit

-- 
-tim