proposed interface changes for filesystem audit
Amy Griffis
amy.griffis at hp.com
Wed Nov 2 21:10:32 UTC 2005
On Wed, Nov 02, 2005 at 02:58:20PM -0500, Steve Grubb wrote:
> On Wednesday 02 November 2005 14:40, Amy Griffis wrote:
> > (2) A set of filesystem-related aliases for groups of system calls.
> > ? ? Currently, one alias "all" is provided that maps to the full set
> > ? ? of system calls on a given arch.
>
> Could you show a full auditctl example of this alias?
auditctl -a exit,always -S all -F path=/home/watchme
With the result being that all bits are set in audit_rule.mask.
> > ? ? Here are some examples of other aliases that could be provided:
> >
> > ? ? fs-create: ?creat,link,mkdir,mknod,open,rename,symlink
> > ? ? fs-remove: ?rename,rmdir,unlink
> > ? ? fs-attr: ? ?chmod,chown,fchmod,fchown,fremovexattr,fsetxattr,lchown,
> > ? ? ? ? ? ? ? ?
> > lremovexattr,lsetxattr,removexattr,setxattr,truncate,utime(s) fs-all: ? ?
> > all filesystem-related syscalls
>
> And one or two of these?
These two rules would be functionally equivalent, but the first is
more convenient:
auditctl -a exit,always -S fs-remove -F path=/home/watchme
auditctl -a exit,always -S rename -S rmdir -S unlink -F path=/home/watchme
> > (3) If backward compatibility with the -w,-W, and -p options is
> > ? ? desired,
>
> Yes, it is for now.
>
> Thanks,
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
More information about the Linux-audit
mailing list