audit question (fwd)
Robert Watson
rwatson at FreeBSD.org
Thu Nov 8 19:01:44 GMT 2001
One of the usual set of interesting questions raised by this post is how
the audit system should identify objects in the file system namespace. As
has been discussed extensively in the past, the notion of uniquely
identifying a file has some limitations in the context of a Sun-style VFS,
due to hard links, renames, deletions, chroot(), and other fun activities.
Some implementations I've seen cache the name of the file (with some
reassembly to provide an absolute path of sorts) used on file open, and
use that in audit records, or refer to it by file handle. Others try to
reconstruct out of the name cache (doesn't work on FreeBSD now that
intermediate directory vnodes can be purged from the cache under load, and
due to the multiple-name problem). Others simple store device and inode
number (doesn't work for file systems that don't use device or inode
numbers). Do we have any thoughts on what answer might work best for us?
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
On Thu, 1 Nov 2001, Ilmar S. Habibulin wrote:
>
> Someone already needs audit capability in freebsd.
>
> ---------- Forwarded message ----------
> Date: Wed, 31 Oct 2001 22:12:03 +0800
> From: edwin chen <slack at suntop-cn.com>
> To: freebsd-security at freebsd.org
> Subject: audit question
>
> hi, everybody
> if I want log a message "who visit which file or directory, when is it happend£¿", what command I need ?
>
> To Unsubscribe: send mail to majordomo at trustedbsd.org
> with "unsubscribe trustedbsd-audit" in the body of the message
>
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list