• Amy Griffis's avatar
    [PATCH] audit: path-based rules · f368c07d
    Amy Griffis authored
    In this implementation, audit registers inotify watches on the parent
    directories of paths specified in audit rules.  When audit's inotify
    event handler is called, it updates any affected rules based on the
    filesystem event.  If the parent directory is renamed, removed, or its
    filesystem is unmounted, audit removes all rules referencing that
    inotify watch.
    To keep things simple, this implementation limits location-based
    auditing to the directory entries in an existing directory.  Given
    a path-based rule for /foo/bar/passwd, the following table applies:
        passwd modified -- audit event logged
        passwd replaced -- audit event logged, rules list updated
        bar renamed     -- rule removed
        foo renamed     -- untracked, meaning that the rule now applies to
    		       the new location
    Audit users typically want to have many rules referencing filesystem
    objects, which can significantly impact filtering performance.  This
    patch also adds an inode-number-based rule hash to mitigate this
    The patch is relative to the audit git tree:
    and uses the inotify kernel API:
    http://lkml.org/lkml/2006/6/1/145Signed-off-by: default avatarAmy Griffis <amy.griffis@hp.com>
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
audit.h 4.52 KB