Klaus Weidner wrote: >>Klaus, would it be sufficient, for meeting LSPP requirement, to >>audit write(2) of the fscreate file? > > > I guess you could argue that it meets the requirement, but it's extremely > ugly since it'll be hard to audit selectively. I don't think there's a > sane way to set filesystem watches on all /proc/$PID/attr/fscreate files > to get those specifically, and you don't want to be auditing all open(2) > calls. > > It would be much cleaner to have audit records specifically for the > attr/* operations. I think they'll be fairly uncommon in general use, so > I think it would be ok to always audit them without having specific > auditctl filters.
I agree. Watches really seem like the wrong tool here, even if it did work. -- ljk -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
