[RFC][PATCH 2/2] (#6 U2) filesystem auditing

Timothy R. Chavez tinytim at us.ibm.com
Tue Mar 29 15:55:16 UTC 2005 

On Tuesday 29 March 2005 08:50 am, Steve Grubb wrote:
> On Monday 28 March 2005 20:55, Timothy R. Chavez wrote:
> >    -> Added support for watch listing in auditctl
>
> I'm happy we have something. However, we never finished the discussion from
> yesterday. I don't think you should have to pass a path to list the
> watches. Let's just walk the watch list and dump the strings. Maybe what
> you are thinking of is a watch status command? Pass a path and it tells you
> what device and namespace its bound to. But I'm just guessing since we need
> to finish the questions I posed yesterday:

Sorry, I went to a Jon "Maddog" Hall presentation on Economics & Open Source 
-- good stuff.  I tried to explain to you why I felt it wouldn't be a good 
idea to just dump the strings.  What you'd get right now is something like:

'name=foo, filterkey=fk_foo, permissions=15'

To me, this isn't that informative, because you have no idea where 'foo' is.  
I mean, I can add this, if this is what you want -- it can use the same 
master list that the "remove all" feature will eventually use.  However, no 
plans for this in the near near future (week) -- must get to linux-fsdevel.

>
> 1) Can you explicitly state the namespace or device when you load a watch?

No, this is implied by the path you specify.

>
> 2) Does the device and namespace get implicitly bound to the path by virtue
> of who loaded the watch and the mount table that in effect at the time the
> rule was loaded?

Yes.

>
> 3) Does the watch work for all name spaces and devices?

All namespaces: Yes.  Same inode no matter which view of the file system 
you're using.

All devices: No.  Different devices, different inodes.  Thus, we may not mount 
over a watched path and expect a remapping of watches on top of it.  Why?  
These aren't the same objects that the administrator targetted for audit (and 
plus, it'd be really hard to do with the current design ;-)).

>
> These topics need to be documented for the man page.
>
> > + Changed types in libaudit to be identical to the types of audit_watch
> > in audit.h
>
> I'll readjust the types to userspace types. __u32 is kernel. uint32_t is
> userspace.

Alright.

>
> Thanks,
> -Steve

-tim

More information about the Linux-audit mailing list