From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexander Viro <aviro@redhat.com>
Subject: Re: Logging failed open() calls on /var/log/audit/audit.log
Date: Tue, 27 Jun 2006 18:03:23 -0400
Message-ID: <20060627220323.GK4199@devserv.devel.redhat.com>
References: <Pine.CYG.4.64.0606271524300.1744@ninja>
	<20060627211553.GA11601@zk3.dec.com>
	<200606271721.05626.sgrubb@redhat.com> <44A1A4EB.6040205@hp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <44A1A4EB.6040205@hp.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linda Knippers <linda.knippers@hp.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, Jun 27, 2006 at 05:36:43PM -0400, Linda Knippers wrote:
> Steve Grubb wrote:
> > On Tuesday 27 June 2006 17:15, Amy Griffis wrote:
> > 
> >>If you would like to see a record in this case, you must add a watch
> >>for /var/log/audit.
> > 
> > 
> > I don't see a record watching this either.
> 
> I think we're missing the directory lookup syscall(s) on watches
> right now.

Careful - that's one hell of a hot path.  Note that we'll get many of
those for each syscall that does pathname resolution; moreover, when
we hit dcache, we should be careful about blocking.