Casey only talked about the easy part of the reason the pathnames are useless. He forgot to mention that the linux kernel has mount namespaces. There is absolutely no reason why one could not mount a FS in the init namespace, launch a whole 'virtual machine' in that new FS, and then unmount the FS from the initial namespace. Now we have 2 COMPLETELY disjoint 'filesystems'.
The audit logs, and things like /proc/pid/fd or dpath functions are all going to be relative to the local FS namespace. Sometimes it just quite simply can't be resolved. So now inside virtual machine namespace they might read/modify /etc/shadow and that file IS /etc/shadow. There is no other 'path' for that file. True its not the same /etc/shadow as the one in the init fs namespace. And at some point there may have existed a path in the init namespace /mnt/virt1/etc/shadow which also represented that inode, but at this point in time the ONLY path which represents this file is /etc/shadow. Audit logs based on name are wrong and misleading. There's a reason the auditable object is the inode and fs details Casey mentioned. We might be able to usually give me information, but that information cannot EVER be used for anything useful. Its unreliable. Exposing it only leads one to believe they have knowledge they don't. -Eric -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
