From mboxrd@z Thu Jan  1 00:00:00 1970
From: Rudi Chiarito <nutello@sweetness.com>
Subject: Re: Filesystem access statistics
Date: Wed, 12 Apr 2006 22:12:33 +0200
Message-ID: <20060412201233.GB1399@plain.rackshack.net>
References: <20060412152325.GA1399@plain.rackshack.net>
	<200604121226.29081.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.11.6) with ESMTP id
	k3CKFfJc003063
	for <linux-audit@redhat.com>; Wed, 12 Apr 2006 16:15:41 -0400
Received: from server4.8080.it (ev1s-207-44-234-28.ev1servers.net
	[207.44.234.28] (may be forged))
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k3CKFYus029024
	for <linux-audit@redhat.com>; Wed, 12 Apr 2006 16:15:35 -0400
Content-Disposition: inline
In-Reply-To: <200604121226.29081.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, Apr 12, 2006 at 12:26:29PM -0400, Steve Grubb wrote:
> I would think that you could write a program to do this via the audit 
> dispatcher interface. In auditd.conf, 
> dispatcher = /usr/bin/your-program
> log_format = nolog

Will that preempt any other audit users that might be looking for
events downstream? Sounds a bit too drastic, although I guess I am not
the typical case, so an application as "intrusive" as mine won't be
needed on the average system.

> if (hdr.type == AUDIT_PATH) {

libaudit.h from audit-libs-devel 1.1.5-1 only has AUDIT_FS_INODE. Is
this new in 1.2 or a typo? I saw mention of a new filesystem API in the
audit RPM changelog. Is that part of it?

> You can then set the audit rules for whatever you want to measure, if all you 
> want to measure is the opens,

That's a very good question by itself. Anything that peeks into a
directory should do, I guess. That would mean not just opens, but also
directory traversals, unlink calls, etc. Are there aliases of any kind?
The kernel just gained a bunch of new *at() syscalls. If I had written
this a month or two ago, I would have most likely missed them. Is there
a way to look for present and future syscalls dealing with files/inodes?  

> You can use devmajor and devminor fields to limit the audit system to 
> reporting opens on an exact partition. This is highly recommended. On my 

That's a good idea where applicable. Thanks.

-- 
Rudi