Logging failed open() calls on /var/log/audit/audit.log
Alexander Viro
aviro at redhat.com
Tue Jun 27 22:03:23 UTC 2006
On Tue, Jun 27, 2006 at 05:36:43PM -0400, Linda Knippers wrote:
> Steve Grubb wrote:
> > On Tuesday 27 June 2006 17:15, Amy Griffis wrote:
> >
> >>If you would like to see a record in this case, you must add a watch
> >>for /var/log/audit.
> >
> >
> > I don't see a record watching this either.
>
> I think we're missing the directory lookup syscall(s) on watches
> right now.
Careful - that's one hell of a hot path. Note that we'll get many of
those for each syscall that does pathname resolution; moreover, when
we hit dcache, we should be careful about blocking.
More information about the Linux-audit
mailing list