From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: linux-audit: reconstruct path names from syscall events?
Date: Fri, 7 Oct 2011 14:02:41 -0400
Message-ID: <201110071402.41508.sgrubb@redhat.com>
References: <20110917001215.GA961@zombie.hq.fstein.net>
	<1317995458.3304.9.camel@localhost>
	<4E8F34D7.1030407@schaufler-ca.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4E8F34D7.1030407@schaufler-ca.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, October 07, 2011 01:20:23 PM Casey Schaufler wrote:
> I would be delighted if someone came up with the fiendishly
> clever solution to the issue. I am not going to bet on one
> in my lifetime.

It doesn't even need to be fiendishly clever to be useful. Using the /etc/shadow 
analogy, What we get now is just shadow. Shadow where? /etc? /var/chroot/bind/etc? 
/backup/etc? Any clue would be helpful. Bind mounts, chroot, and namespaces all make 
it interesting, but just adding the dir as an aux record would make things so much 
better. We can solve the other problem another day.

-Steve