Bug 440195 - Feature request: Support for directory level audit with recursion before 2.6.24 kernel and above at userspace
Summary: Feature request: Support for directory level audit with recursion before 2.6....
Alias: None
Product: Fedora
Classification: Fedora
Component: audit   
(Show other bugs)
Version: 8
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Steve Grubb
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-04-02 07:37 UTC by abhishek
Modified: 2008-09-25 18:32 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-25 18:32:16 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
This patch add directory level audit with recursion feature in userspace (3.44 KB, patch)
2008-04-02 07:37 UTC, abhishek
no flags Details | Diff

Description abhishek 2008-04-02 07:37:09 UTC
Description of problem:

Before kernel 2.6.24 there is no support for recursive directory level audit.If
there are number of files and subdirectories in a parent directory and we want 
to add watch on all the files then we have to put watch on all the files and
directories explicitly.Even userlevel support for this from 2.6.24 kernel  is
not available till now.Organisations does not frequently migrate from one kernel
version to other frequently.Like if they are using 2.6.22 kernel,they will not
switch immediately to 2.6.24. This patch will add the feature in userspace which
will work for kernel versions  before 2.6.24 and above.And will make the task easy. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.patch should be applied to auditctl.c file present in audit-1.7 component
2.then install audit-1.7 component
3.To add watch on files and subdirectories present in a directory,type the 
command below 
4.auditctl -Z path/to/directory -p rwx 
Actual results:
All files within the directory and subdirectory will be watched.

Expected results:

Additional info:

Comment 1 abhishek 2008-04-02 07:37:09 UTC
Created attachment 300021 [details]
This patch add directory level audit with recursion feature in userspace

Comment 2 Steve Grubb 2008-04-04 16:35:32 UTC
Hi...first, thanks for the patch. 

But I'm not sure this is a good idea since it does not provide complete
coverage. IOW, if you have a rule for /etc and a new file goes into /etc and its
edited, the rule will not pick it up since auditctl builds a list at the time it
applies the rule instead of continuously. Its for this reason we opted to
provide coverage in the kernel rather than user space.

Also, auditctl -l takes the rules and reformats them to appear as close as
possible to the rule that is in the audit.rules file. I don't think this patch
can figure out what the original rule is unless its does a lot of extra processing.

Comment 3 Steve Grubb 2008-09-25 18:32:16 UTC
I do appreciate the patch, but I don't think I can merge it with the current code base (see comment #2). Thank you for the offer, though.

Note You need to log in before you can comment on or make changes to this bug.