On Tuesday, June 6, 2023 6:31:55 PM EDT Vincent Abraham wrote: > Thanks. Could you also point to portions in the codebase where these > functions are called for monitoring file access?
I'll let Richard or Paul point to the place in the kernel if that's necessary. I think there's a fundamental mismatch and it might not matter. > The reason I'm asking for this is that I'm trying to provide auditing for > files of a specific type and I'm trying to understand how would that work. The way the audit system works is there is a rule engine in the kernel. User space loads the rules and and listens for events. The kernel does all the work. This rule matching can be done by a limited set of attributes which for a file would be path, kind of access, who is accessing it, program accessing it, portions of se linux labeling, and a few other things. You cannot match by type or anything that looks like a glob. You can arrange them in a directory and watch the whole directory. You can create a script that looks for files of a certain type and load rules specifically for them into the kernel (with a specific key so you can find them later). Or you can plug into auditd as a plugin and filter the events and write them to your own log. There might be some other approaches such as using fanotify and filtering those events yourself. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit