Getting the program name in audit messages
Stephen Smalley
sds at tycho.nsa.gov
Fri Apr 1 14:50:42 UTC 2005
On Fri, 2005-04-01 at 09:51 -0500, Steve Grubb wrote:
> If we go this route, I'd like to push my original patch to get comm and
> syscall information in the avc messages. Dan has been wanting an improvement
> in that area for quite a while.
IMHO, that's different - it is one thing to say that we won't remove any
information from the existing avc messages even if we duplicate it in
the syscall auditing for compatibility; it is another thing to add new
information to the avc messages that is better suited to the syscall
auditing. If Dan or others want new information, it is reasonable to
tell them to enable syscall auditing (after adding that information to
it). Telling people that they have to enable syscall auditing and
correlate multiple audit messages to retain old information is more
problematic.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list