On Thu, 2002-03-14 at 12:33, Rainer Link wrote:
But this method is limited to Samba only. What about the dnotify method? (see /usr/src/linux/Documentation/dnotify.txt or http://www.jedi.claranet.fr/eliott/ as an example). Or fam/imon? (http://oss.sgi.com/projects/fam/). Or as a kernel module? reminds me of the (old) auditd stuff from HERT. All stuff untested :)
I have begun looking into using the kernel's directory notification mechanisms for auditing purposes. I took the sample in dnotify.txt and compiled it. The problem I am running into is that in the siginfo_t structure, it passes back the file descriptor, and I have been unable to find a way to take a file descriptor and get the associated filename. I know that /proc/<pid>/fd/<fd> points to the file but I am still not sure how that will help me get the filename of the file being read/written/created/deleted/etc. Bill Miller jrmiller@cbnlottery.com