watching files in selinuxfs
Klaus Weidner
klaus at atsec.com
Wed Sep 27 22:11:31 UTC 2006
On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote:
> Debora Velarde wrote:
> > # auditctl -a exit,always -S open -F inode=4
> > # auditctl -l
> > LIST_RULES: exit,always inode=4 (0x4) syscall=open
>
> I wonder what this is actually doing. An inode number without
> a file system isn't very interesting. Should this rule even
> be accepted?
Well, probably this is telling the audit system to audit access to all
inodes with the number 4 on any filesystem, and if that's not what you
want you need to be more specific...
Given the Unix philosophy of allowing admins to shoot themselves in the
foot, would a warning be appropriate?
-Klaus
More information about the Linux-audit
mailing list