[PATCH] change lspp inode auditing
Steve Grubb
sgrubb at redhat.com
Wed Mar 29 19:44:10 UTC 2006
On Wednesday 29 March 2006 14:34, Valdis.Kletnieks at vt.edu wrote:
> > In that case, the patch writes out the sid number. Given a sid, is there
> > a way to find it in the policy on disk? If not, that might be useful to
> > have.
>
> The problem is that by the time you go to snarf it out of the policy on
> disk, it may no longer match the policy in effect at the time of the record
> generation.
That should be handled by site configuration control. Assuming that they are
careful to keep old policy around...can it be correlated?
> The hole probably isn't *that* bad if auditd is doing the grovelling.
Auditd has no time to do any correlation. This would have to be done
post-mortem just like uid conversion is done. I think this is an exceptional
condition and just want to make sure we can close the loop manually if this
ever happened.
-Steve
More information about the Linux-audit
mailing list