Directory structure auditing - a case
Amy Griffis
amy.griffis at hp.com
Fri Nov 18 19:22:03 UTC 2005
On Thu, Nov 17, 2005 at 03:58:42PM -0600, Michael C Thompson wrote:
> linux-audit-bounces at redhat.com wrote on 11/17/2005 02:22:15 PM:
> >
> > Amy and I talked about this briefly a week or so ago. Her current
> > patch will not support this functionality as-is but we think it is
> > possible to develop a follow-up patch that supports watching
> > individual directories. Its probably not possible to audit an
> > entire directory structure with a single watch but if one is
> > willing to specify each directory to be audited, then we might be
> > able to provide that capability.
>
> Would it be possible to have a watch that instructs a parent to
> watch its children? Perhaps that is what you are saying here... If
> so, that would be a very reasonable action.
Yes, that shouldn't be a problem.
> What is the limiting aspect that would not allow you to watch deeper
> than just 1 set of children?
I thought about this a little more, and realized it could be more of a
possibility than I originally thought.
To support this feature, I imagine we would take the following
approach. During each filesystem operation, walk the dentry tree from
the target object back to the root to re-construct the absolute path.
Then save this path in the audit_context for comparison with any
tree-based watches at syscall exit time. The tree-based watches would
need to be flagged as such in the filter rules.
Before we consider adding something like this, we would need to
investigate the performance impact of adding the requisite extra
processing to the filesystem-related syscalls.
Amy
> Obviously, this could be set up with some kind of script or
> automation on the user's behalf if its not possible, but I can see
> Mont's request being a very common one.
>
> Mike
More information about the Linux-audit
mailing list