[redhat-lspp] Re: [PATCH] testing new audit features
Steve Grubb
sgrubb at redhat.com
Wed Apr 5 19:18:22 UTC 2006
On Monday 20 March 2006 18:38, Amy Griffis wrote:
> In contrast to existing audit rule field types, these types require string
> fields. E.g., AUDIT_WATCH requires a path like "/etc/passwd",
> AUDIT_SE_USER requires a user label like "user_u".
I have some questions since I'm readying user space tools to support this:
1) Does this file system auditing do away with filter keys? Are they no longer
needed?
2) What about perms? If someone wanted to express that they want to get write
changes to /etc/passwd, how do they do it?
> audit_rule_syscallbyname((struct audit_rule *)rule, "all");
> rule->flags = AUDIT_FILTER_EXIT;
> rule->action = AUDIT_ALWAYS;
3) Does this mean that the file system auditing is handled by the syscall exit
filter ?
4) Does each rule get added to the filter or is there some short circuit that
keeps them out of the filter?
5) Does the syscall matter ? Its being set to "all", just curious if it really
matters.
6) The example does not show devmajor and devminor getting used...does this
affect anything?
-Steve
More information about the redhat-lspp
mailing list