Logging failed open() calls on /var/log/audit/audit.log
Amy Griffis
amy.griffis at hp.com
Tue Jun 27 23:10:32 UTC 2006
Timothy R. Chavez wrote: [Tue Jun 27 2006, 05:32:46PM EDT]
> Maybe because you're executing in the system-call attempting the access
> of audit.log and it's in this context the permissions to do so are
> checked. Been awhile, but looking at fs/open.c:do_sys_open, should
> there be an fsnotify_open() hook in the error path as well?
That wouldn't help. If do_filp_open() returns an error, we don't have
an inode for the filename the user wanted to open. So we don't have
any additional information to give the hook other than what audit has
already collected.
More information about the Linux-audit
mailing list