From: Steve Grubb <sgrubb@redhat.com>
To: Greg KH <greg@kroah.com>
Cc: "Timothy R. Chavez" <tinytim@us.ibm.com>,
Andrew Morton <akpm@osdl.org>,
linux-audit@redhat.com, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org,
David Woodhouse <dwmw2@infradead.org>,
Mounir Bsaibes <mbsaibes@us.ibm.com>,
Serge Hallyn <serue@us.ibm.com>,
Alexander Viro <viro@parcelfarce.linux.theplanet.co.uk>,
Klaus Weidner <klaus@atsec.com>, Chris Wright <chrisw@osdl.org>,
Stephen Smalley <sds@tycho.nsa.gov>, Robert Love <rml@novell.com>,
Christoph Hellwig <hch@infradead.org>,
Daniel H Jones <danjones@us.ibm.com>,
Amy Griffis <amy.griffis@hp.com>,
Maneesh Soni <maneesh@in.ibm.com>
Subject: Re: [PATCH] audit: file system auditing based on location and name
Date: Wed, 6 Jul 2005 21:33:05 -0400 [thread overview]
Message-ID: <200507062133.05827.sgrubb@redhat.com> (raw)
In-Reply-To: <20050706235008.GA9985@kroah.com>
On Wednesday 06 July 2005 19:50, Greg KH wrote:
> As inotify works off of open file descriptors, yes, this is true. But,
> again, if you think this is really important, then why not just work
> with inotify to provide that kind of support to it?
http://marc.theaimsgroup.com/?l=linux-kernel&m=110265021327578&w=2
I think Tim was told not to dig into inotify. A lot of effort has been put
into testing the code Tim has presented with review from several kernel
developers (listed in the cc). They too should step up and give their opinion
on this.
I want to believe questions were asked about this last December when we were
starting into this effort. I think the conclusion from the inotify people was
for us to proceed and then when we know what we really want, we can refactor
should anything be in common.
> I suggest you work together with the inotify developers to hash out your
> differences, as it sounds like you are duplicating a lot of the same
> functionality.
Maybe yes and no. Now that the fs audit code is out, I think we can spot
commonality. The only common piece that I can think of is just the hook. The
whole rest of it is different. I hope the inotify people comment on this to
see if there is indeed something that should be refactored.
> Do you have any documetation or example userspace code that shows how to
> use this auditfs interface you have created?
people.redhat.com/sgrubb/audit
The audit package is currently distributed in Fedora Core 4. The code to use
Tim's fs audit code is in the user space app, but is waiting for the kernel
pieces.
There is a man page for auditctl that shows all the options. (fs specific
options are -wWpk ) To watch /etc/shadow, you would issue:
auditctl -w /etc/shadow -p wa
this will generate events for any update to the file including changes to
ownership or permissions. We are interested in attribute changes as well. If
you wanted to watch a file in a chroot directory, you could do this:
auditctl -w /var/chroot/etc/shadow -p wa -k /var/chroot
The audit events would indicate the path from the perspective of the app
generating the events, but since we added the /var/chroot key, we can see
that it really came from the chroot dir.
Hope this helps...
-Steve Grubb
next prev parent reply other threads:[~2005-07-07 1:36 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-06 16:54 [PATCH] audit: file system auditing based on location and name Timothy R. Chavez
2005-07-06 17:17 ` Greg KH
2005-07-06 20:23 ` Timothy R. Chavez
2005-07-06 23:50 ` Greg KH
2005-07-07 1:33 ` Steve Grubb [this message]
2005-07-07 18:15 ` Greg KH
2005-07-07 18:49 ` Steve Grubb
2005-07-07 19:04 ` Greg KH
2005-07-07 19:48 ` Steve Grubb
2005-07-07 21:31 ` Arjan van de Ven
2005-07-07 22:08 ` Timothy R. Chavez
2005-07-07 22:51 ` serue
2005-07-08 5:33 ` Arjan van de Ven
2005-07-08 5:48 ` James Morris
2005-07-08 17:48 ` Greg KH
2005-07-07 16:26 ` Timothy R. Chavez
2005-07-07 18:10 ` Greg KH
2005-07-07 18:16 ` David Woodhouse
2005-07-07 18:18 ` Greg KH
2005-07-07 19:49 ` Timothy R. Chavez
2005-07-08 17:46 ` Greg KH
2005-07-08 19:48 ` Timothy R. Chavez
2005-07-10 18:59 ` Greg KH
[not found] ` <OF993CB74B.E135A576-ON8725703B.00568CD6-0525703B.005814C3@us.ibm.com>
2005-07-11 17:13 ` Greg KH
2005-07-09 1:10 ` Chris Wright
2005-07-09 2:10 ` Timothy R. Chavez
2005-07-07 6:40 ` Arjan van de Ven
2005-07-07 6:50 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200507062133.05827.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=akpm@osdl.org \
--cc=amy.griffis@hp.com \
--cc=chrisw@osdl.org \
--cc=danjones@us.ibm.com \
--cc=dwmw2@infradead.org \
--cc=greg@kroah.com \
--cc=hch@infradead.org \
--cc=klaus@atsec.com \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maneesh@in.ibm.com \
--cc=mbsaibes@us.ibm.com \
--cc=rml@novell.com \
--cc=sds@tycho.nsa.gov \
--cc=serue@us.ibm.com \
--cc=tinytim@us.ibm.com \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).