peculiar disappearance of most audit rules
Eric Paris
eparis at redhat.com
Mon Apr 21 19:03:28 UTC 2014
On Mon, 2014-04-21 at 11:35 -0700, lists_todd at mac.com wrote:
>
> On Apr 21, 2014, at 11:28 AM, Steve Grubb <sgrubb at redhat.com> wrote:
>
> > What happens is that the text path that you put in a watch is a
> > human
> > convenience. The kernel doesn't understand strings, it understands
> > numbers. It
> > changes the path into device and inode information.
>
>
> Cool. So I am guessing the rule works even if someone creates a hard
> link to the same watched path and access files through that other
> path?
As I remember, and it's been a long time, watches should survive even if
the object being watched is deleted and recreated. I seemed to remember
it was only if the parent directory is deleted that rules get evicted.
So that doesn't explain it for /boot! Pretty darn hard to delete /!
But it could easily make sense for your other areas being watched...
But yes, if you watch /etc/shadow and someone accesses that inode
through another hard link, you will get audit records...
More information about the Linux-audit
mailing list