[RFC PATCH v1 1/7] fs: Add inode_get_ino() and implement get_ino() for NFS
Mickaël Salaün
mic at digikod.net
Mon Oct 14 13:13:41 UTC 2024
On Mon, Oct 14, 2024 at 05:17:53AM -0700, Christoph Hellwig wrote:
> On Mon, Oct 14, 2024 at 11:12:25PM +1100, Burn Alting wrote:
> > > > PATH records is no longer forensically defensible and it's use as a
> > > > correlation item is of questionable value now?
> > >
> > > What do you mean with forensically defensible?
> >
> > If the auditd system only maintains a 32 bit variable for an inode value,
> > when it emits an inode number, then how does one categorically state/defend
> > that the inode value in the audit event is the actual one on the file
> > system. The PATH record will offer one value (32 bits) but the returned
> > inode value from a stat will return another (the actual 64 bit value).
> > Basically auditd would not be recording the correct value.
>
> Does auditd only track 32-bit inodes? If yes, it is fundamentally
> broken.
auditd logs 32-bit inodes on 32-bit architecture, whereas it should
always log 64-bit inodes. The goal of this patch series is to fix this
this issue for auditd and other kernel logs (and to backport these
fixes).
More information about the Linux-security-module-archive
mailing list