On Mon, Oct 14, 2024 at 11:12:25PM +1100, Burn Alting wrote: > > > PATH records is no longer forensically defensible and it's use as a > > > correlation item is of questionable value now? > > > > What do you mean with forensically defensible? > > If the auditd system only maintains a 32 bit variable for an inode value, > when it emits an inode number, then how does one categorically state/defend > that the inode value in the audit event is the actual one on the file > system. The PATH record will offer one value (32 bits) but the returned > inode value from a stat will return another (the actual 64 bit value). > Basically auditd would not be recording the correct value. Does auditd only track 32-bit inodes? If yes, it is fundamentally broken. > My reference to the filesystem size was a quick and dirty estimate of when > one may see more than 2^32 inodes on a single filesystem. What I failed to > state (my apologies) is that this presumed an xfs filesystem with default > values when creating the file system. (A quick check on an single 240TB xfs > filesystem advised more than 5000000000 inodes were available). For XFS inode number encoding is sparse, with part of it encoding the allocation group it resides in. For btrfs for example the inode number is simply a 64-bit monotonically increasing counter per subvolume where freed inode numbers never get reused.
