linux-audit: reconstruct path names from syscall events?
Steve Grubb
sgrubb at redhat.com
Fri Oct 7 18:02:41 UTC 2011
On Friday, October 07, 2011 01:20:23 PM Casey Schaufler wrote:
> I would be delighted if someone came up with the fiendishly
> clever solution to the issue. I am not going to bet on one
> in my lifetime.
It doesn't even need to be fiendishly clever to be useful. Using the /etc/shadow
analogy, What we get now is just shadow. Shadow where? /etc? /var/chroot/bind/etc?
/backup/etc? Any clue would be helpful. Bind mounts, chroot, and namespaces all make
it interesting, but just adding the dir as an aux record would make things so much
better. We can solve the other problem another day.
-Steve
More information about the Linux-audit
mailing list