proposed interface changes for filesystem audit
Timothy R. Chavez
tinytim at us.ibm.com
Wed Nov 2 22:50:29 UTC 2005
On Wednesday 02 November 2005 16:11, Amy Griffis wrote:
> On Wed, Nov 02, 2005 at 04:22:20PM -0500, Steve Grubb wrote:
> > On Wednesday 02 November 2005 16:10, Amy Griffis wrote:
> > > auditctl -a exit,always -S all -F path=/home/watchme
> >
> > Thanks. That helps clarify it for me.
> >
> > > These two rules would be functionally equivalent, but the first is
> > > more convenient:
> > >
> > > auditctl -a exit,always -S fs-remove -F path=/home/watchme
> > > auditctl -a exit,always -S rename -S rmdir -S unlink -F path=/home/watchme
> >
> > Does your patch change the kernel to accept multiple syscalls in an audit
> > rule? Currently, we have 1 syscall per rule.
>
> Yes, 1 syscall per rule has been the typical usage, but the kernel
> actually supports multiple syscalls per rule (and possibly has from
> the beginning). So, something like this already works today:
>
> auditctl -a exit,always -S rename -S rmdir -S unlink -F inode=1234
>
> Amy
>
er... oops I didn't read this one first ;)
-tim
More information about the Linux-audit
mailing list