summaryrefslogtreecommitdiffstats
path: root/scripts
diff options
context:
space:
mode:
authorAmy Griffis <amy.griffis@hp.com>2006-04-07 16:55:56 -0400
committerAl Viro <viro@zeniv.linux.org.uk>2006-06-20 05:25:27 -0400
commitf368c07d7214a7c41dfceb76c8db473b850f0229 (patch)
treee3f1e2d1a6ffbe61bf99ece51b906654728db4c9 /scripts
parent20ca73bc792be9625af184cbec36e1372611d1c3 (diff)
downloadop-kernel-dev-f368c07d7214a7c41dfceb76c8db473b850f0229.zip
op-kernel-dev-f368c07d7214a7c41dfceb76c8db473b850f0229.tar.gz
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent directories of paths specified in audit rules. When audit's inotify event handler is called, it updates any affected rules based on the filesystem event. If the parent directory is renamed, removed, or its filesystem is unmounted, audit removes all rules referencing that inotify watch. To keep things simple, this implementation limits location-based auditing to the directory entries in an existing directory. Given a path-based rule for /foo/bar/passwd, the following table applies: passwd modified -- audit event logged passwd replaced -- audit event logged, rules list updated bar renamed -- rule removed foo renamed -- untracked, meaning that the rule now applies to the new location Audit users typically want to have many rules referencing filesystem objects, which can significantly impact filtering performance. This patch also adds an inode-number-based rule hash to mitigate this situation. The patch is relative to the audit git tree: http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary and uses the inotify kernel API: http://lkml.org/lkml/2006/6/1/145 Signed-off-by: Amy Griffis <amy.griffis@hp.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions
OpenPOWER on IntegriCloud