Re: [RFC][PATCH] (#3) file system auditing

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Timothy R. Chavez" <tinytim@us.ibm.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: linux-fsdevel@vger.kernel.org
Subject: Re: [RFC][PATCH] (#3) file system auditing
Date: Thu, 28 Apr 2005 15:31:25 -0500	[thread overview]
Message-ID: <1114720285.6554.88.camel@localhost> (raw)
In-Reply-To: <20050426232819.GA11810@infradead.org>

On Wed, 2005-04-27 at 00:28 +0100, Christoph Hellwig wrote:
> On Tue, Apr 26, 2005 at 04:04:46PM -0500, Timothy R. Chavez wrote:
> > Hello,
> > 
> > The audit subsystem is currently incapable of auditing a file system
> > object based on its location and name.
> 

Hello Christoph,

I apologize for the delay in my response.  Thank you for your response.
I'll try to be succinct.

> Which doesn't make sense in our world of per-process namespaces.  

The audit subsystem is responsible for generating accounts of activity
in the kernel for the purposes of examination and verification.  Thus,
in terms of audit, how we capture becomes less important than what we
capture, as long as it remains consistent, right?  Given A, B follows.

The syscall filtering on (inode,device)-pairs is not enough to construct
complete accounts of activity across transactions in which an underlying
inode is subject to change.  Once that inode changes, we've lost audit.
So, we've introduced an abstract methodology by which the administrator
is able to "watch" by location and name.  This allows us to ultimately
examine and verify actions taken against, say, "/etc/shadow", and not
simply the inode currently associated with it.

> Unless this is not just a silly checkbox item for government certification
> please add it only to your favourite vendor tree.

I think that certs are a perfectly legitimate use-case for a kernel's
_audit_ subsystem.  

I'd like to maintain a relative focus here on linux-fsdevel.  When I RFC
on LKML, we can argue the virtues of audit and certifications there.

-tim

next prev parent reply	other threads:[~2005-04-28 20:40 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-26 21:04 [RFC][PATCH] (#3) file system auditing Timothy R. Chavez
2005-04-26 23:28 ` Christoph Hellwig
2005-04-27 11:57   ` Stephen Smalley
2005-04-28 20:31   ` Timothy R. Chavez [this message]
2005-04-28 21:50     ` Serge Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1114720285.6554.88.camel@localhost \
    --to=tinytim@us.ibm.com \
    --cc=hch@infradead.org \
    --cc=linux-fsdevel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.