audit question (fwd)

Andrew R. Reiter arr at
Fri Nov 9 09:53:22 GMT 2001

On Fri, 9 Nov 2001, Ilmar S. Habibulin wrote:
:Well, i can share with my thoughts and experience. Why not to extend
:device/inode number to other fses? I mean the idea of unique identification of
:filesystem object. IMHO, every fs must have one. So there would be some
:fs-specific object idetifier, like "UFS(device,inode)" for ufs. It's very
:hard to get even relative path from inside kernel. In my simple audit
:implementation i have special flags on set on UFS files in order to
:register access to them, so i didn't mind about msdos or nfs. So i think
:that we should concentrate on finding some unique kernel identifiers for
:filesysytem objects, that can be interpreted from userland by audit daemon
:and translated to real paths. This daemon must be very smart in that case,
:but this intelligence is much more easier to implement in userland, than
:in kernel. imho.

Since you mentioned you did this from experience, can you share with what
you used as generic identifiers before?  

I had been wondering about how this would impact something like a heavily
loaded web server or other type of server that might create any number of
files/inodes, etc.. Perhaps if we can compress the relative path and be
able to do a hash on that, and then just worry about filenames
specifically it might help us.


Andrew R. Reiter
arr at
arr at

To Unsubscribe: send mail to majordomo at
with "unsubscribe trustedbsd-audit" in the body of the message

More information about the trustedbsd-audit mailing list