audit question (fwd)
Ilmar S. Habibulin
ilmar at watson.org
Fri Nov 9 08:23:19 GMT 2001
On Thu, 8 Nov 2001, Robert Watson wrote:
> One of the usual set of interesting questions raised by this post is how
> the audit system should identify objects in the file system namespace. As
[skip]
> due to the multiple-name problem). Others simple store device and inode
> number (doesn't work for file systems that don't use device or inode
> numbers). Do we have any thoughts on what answer might work best for us?
Well, i can share with my thoughts and experience. Why not to extend
device/inode number to other fses? I mean the idea of unique identification of
filesystem object. IMHO, every fs must have one. So there would be some
fs-specific object idetifier, like "UFS(device,inode)" for ufs. It's very
hard to get even relative path from inside kernel. In my simple audit
implementation i have special flags on set on UFS files in order to
register access to them, so i didn't mind about msdos or nfs. So i think
that we should concentrate on finding some unique kernel identifiers for
filesysytem objects, that can be interpreted from userland by audit daemon
and translated to real paths. This daemon must be very smart in that case,
but this intelligence is much more easier to implement in userland, than
in kernel. imho.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list