On Thursday, August 06, 2015 02:31:57 PM Casey Schaufler wrote: > I remember the Orange Book days when we were *required* to audit by > dev/inode because it was the only true way to identify the object. Yes, > it's analogous to auditing the pid, but we had to audit by that, too. The > dev/indode and pid are the "true" names. Anything else is a hint at what > you're looking at. I can easily imaging someone who really cares about the > audit data supplying the dev/inode and pid.
Just to add a bit of clarity, my original question was if there was any value in exposing the unset/invalid device and inode values, e.g. -1. While I agree that there is value in auditing by dev/inode, I can't think of a reasonable situation where the user would need to pass an unset/invalid device and/or inode value into the kernel as part of an audit configuration command. -- paul moore security @ redhat -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
