Klaus Weidner wrote: > On Wed, Sep 27, 2006 at 05:46:52PM -0400, Linda Knippers wrote: > >>Debora Velarde wrote: >> >>># auditctl -a exit,always -S open -F inode=4 >>># auditctl -l >>>LIST_RULES: exit,always inode=4 (0x4) syscall=open >> >>I wonder what this is actually doing. An inode number without >>a file system isn't very interesting. Should this rule even >>be accepted? > > > Well, probably this is telling the audit system to audit access to all > inodes with the number 4 on any filesystem, and if that's not what you > want you need to be more specific...
That's exactly what its doing. Debora verified she's getting the audit record she's looking for and I verified that you'll also get audit records for any inode 4, at least on my system. > > Given the Unix philosophy of allowing admins to shoot themselves in the > foot, would a warning be appropriate? I would think so. I'm not exactly sure how you'd specify the file system you want. Is the major/minor pair? -- ljk -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
