diff options
author | Amy Griffis <amy.griffis@hp.com> | 2006-04-07 22:55:56 +0200 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-06-20 11:25:27 +0200 |
commit | f368c07d7214a7c41dfceb76c8db473b850f0229 (patch) | |
tree | e3f1e2d1a6ffbe61bf99ece51b906654728db4c9 /init | |
parent | [PATCH] Audit of POSIX Message Queue Syscalls v.2 (diff) | |
download | linux-f368c07d7214a7c41dfceb76c8db473b850f0229.tar.xz linux-f368c07d7214a7c41dfceb76c8db473b850f0229.zip |
[PATCH] audit: path-based rules
In this implementation, audit registers inotify watches on the parent
directories of paths specified in audit rules. When audit's inotify
event handler is called, it updates any affected rules based on the
filesystem event. If the parent directory is renamed, removed, or its
filesystem is unmounted, audit removes all rules referencing that
inotify watch.
To keep things simple, this implementation limits location-based
auditing to the directory entries in an existing directory. Given
a path-based rule for /foo/bar/passwd, the following table applies:
passwd modified -- audit event logged
passwd replaced -- audit event logged, rules list updated
bar renamed -- rule removed
foo renamed -- untracked, meaning that the rule now applies to
the new location
Audit users typically want to have many rules referencing filesystem
objects, which can significantly impact filtering performance. This
patch also adds an inode-number-based rule hash to mitigate this
situation.
The patch is relative to the audit git tree:
http://kernel.org/git/?p=linux/kernel/git/viro/audit-current.git;a=summary
and uses the inotify kernel API:
http://lkml.org/lkml/2006/6/1/145
Signed-off-by: Amy Griffis <amy.griffis@hp.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'init')
-rw-r--r-- | init/Kconfig | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/init/Kconfig b/init/Kconfig index 3b36a1d53656..c4d0fa655d5d 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -182,7 +182,8 @@ config AUDITSYSCALL help Enable low-overhead system-call auditing infrastructure that can be used independently or with another kernel subsystem, - such as SELinux. + such as SELinux. To use audit's filesystem watch feature, please + ensure that INOTIFY is configured. config IKCONFIG bool "Kernel .config support" |