what's in the works
Timothy R. Chavez
tinytim at us.ibm.com
Mon Mar 28 19:50:38 UTC 2005
On Monday 28 March 2005 12:59 pm, Steve Grubb wrote:
> On Monday 28 March 2005 12:55, Timothy R. Chavez wrote:
> > The down side is if they wanted the global list of all watches (they can
> > get at):
> >
> > find / -type d -exec auditctl -L {} ";"
> >
> > would be the way to do that -- this would take a great ammount of time
> > (but would be most accurate).
>
> What happened to all those text strings that auditctl sent into the kernel
> to setup the watches? Did they get discarded? It seems to me that they
> should still be around and on a list of some kind.
Hm? The watch.name we pass into the kernel is a <path> to the watch point.
We use it to walk the filesystem up to the parent of the watch point. The
watch that is added into the filesystem has a watch->name eq "terminating
file/dir name of <path>" -- We can only assume <path> is relevant for this
walk for the reasons I mentioned in my prior e-mail.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
--
-tim
More information about the Linux-audit
mailing list