From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] audit: file system auditing based on location and name
Date: Wed, 6 Jul 2005 21:33:05 -0400
Message-ID: <200507062133.05827.sgrubb@redhat.com>
References: <1120668881.8328.1.camel@localhost> <200507061523.11468.tinytim@us.ibm.com> <20050706235008.GA9985@kroah.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: "Timothy R. Chavez" <tinytim@us.ibm.com>,
	Andrew Morton <akpm@osdl.org>, linux-audit@redhat.com,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	David Woodhouse <dwmw2@infradead.org>,
	Mounir Bsaibes <mbsaibes@us.ibm.com>,
	Serge Hallyn <serue@us.ibm.com>,
	Alexander Viro <viro@parcelfarce.linux.theplanet.co.uk>,
	Klaus Weidner <klaus@atsec.com>,
	Chris Wright <chrisw@osdl.org>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Robert Love <rml@novell.com>,
	Christoph Hellwig <hch@infradead.org>,
	Daniel H Jones <danjones@us.ibm.com>,
	Amy Griffis <amy.griffis@hp.com>,
	Maneesh Soni <maneesh@in.ibm.com>
Return-path: <linux-kernel-owner+glk-linux-kernel=40m.gmane.org-S262370AbVGGBgA@vger.kernel.org>
To: Greg KH <greg@kroah.com>
In-Reply-To: <20050706235008.GA9985@kroah.com>
Content-Disposition: inline
Sender: linux-kernel-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

On Wednesday 06 July 2005 19:50, Greg KH wrote:
> As inotify works off of open file descriptors, yes, this is true. =A0=
But,
> again, if you think this is really important, then why not just work
> with inotify to provide that kind of support to it?

http://marc.theaimsgroup.com/?l=3Dlinux-kernel&m=3D110265021327578&w=3D=
2

I think Tim was told not to dig into inotify. A lot of effort has been =
put=20
into testing the code Tim has presented with review from several kernel=
=20
developers (listed in the cc). They too should step up and give their o=
pinion=20
on this.

I want to believe questions were asked about this last December when we=
 were=20
starting into this effort. I think the conclusion from the inotify peop=
le was=20
for us to proceed and then when we know what we really want, we can ref=
actor=20
should anything be in common.

> I suggest you work together with the inotify developers to hash out y=
our
> differences, as it sounds like you are duplicating a lot of the same
> functionality.

Maybe yes and no. Now that the fs audit code is out, I think we can spo=
t=20
commonality. The only common piece that I can think of is just the hook=
=2E The=20
whole rest of it is different. I hope the inotify people comment on thi=
s to=20
see if there is indeed something that should be refactored.

> Do you have any documetation or example userspace code that shows how=
 to
> use this auditfs interface you have created?

people.redhat.com/sgrubb/audit

The audit package is currently distributed in Fedora Core 4. The code t=
o use=20
Tim's fs audit code is in the user space app, but is waiting for the ke=
rnel=20
pieces.

There is a man page for auditctl that shows all the options. (fs specif=
ic=20
options are -wWpk ) To watch /etc/shadow, you would issue:

auditctl -w /etc/shadow -p wa

this will generate events for any update to the file including changes =
to=20
ownership or permissions. We are interested in attribute changes as wel=
l. If=20
you wanted to watch a file in a chroot directory, you could do this:

auditctl -w /var/chroot/etc/shadow -p wa -k /var/chroot

The audit events would indicate the path from the perspective of the ap=
p=20
generating the events, but since we added the /var/chroot key, we can s=
ee=20
that it really came from the chroot dir.

Hope this helps...

-Steve Grubb