[redhat-lspp] SE Linux audit events
Steve Grubb
sgrubb at redhat.com
Tue Nov 8 15:49:11 UTC 2005
On Tuesday 08 November 2005 10:38, Stephen Smalley wrote:
> Already handled by auditallow rules on load_policy permission. As
> above, I don't see a need for a distinct audit type when we have a
> distinct permission.
I think these need to be hardwired into the kernel so that they can't be
deleted accidentally or maliciously. Also, if the system is booted in
non-enforcing mode, how does that fact get into the audit system?
Are there other events that we care about besides those three?
Thanks,
-Steve
More information about the redhat-lspp
mailing list