On Tue, 2006-08-08 at 11:10 -0400, James Antill wrote: > On Tue, 2006-08-08 at 09:19 -0400, Janak Desai wrote: > > > Klaus, would it be sufficient, for meeting LSPP requirement, to > > audit write(2) of the fscreate file? > > Doesn't audit write work via. inode numbers? If so I don't see how you > could audit anything in /proc (try: ls -i /proc/self/.). Even if you can > fix the inode stability problem, how can you specify to > audit /proc/*/attr/fscreate? >
Yes, this was pointed out by one of my team member as well. He is currently investigating setting up watches and possibly capturing open() call. I am adding Steve Grubb and Amy to the cc list in case they have any ideas on what we can do. Basically, we need to audit the fact that /proc/*/attr/fscreate file has been updated with a new context. -Janak > -- > redhat-lspp mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/redhat-lspp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
