audit 0.6.10 released
Steve Grubb
sgrubb at redhat.com
Tue Apr 5 22:04:42 UTC 2005
On Tuesday 05 April 2005 17:45, Debora Velarde wrote:
> I'm partial to:
> auditctl -a entry,always -S chmod -F arch=64
> auditctl -a entry,always -S chmod -F arch=32
Me too...less typing. What I was thinking about doing was treating it like
syscall. If you give it a number, it uses that. Otherwise it translates it
into the correct number and uses that.
> Something like 0x800000000 would be okay, if:
> 1. we document it in the man page what each value means
Right. But we need to tell them how to get the elf machine type.
> 2. auditctl is smart enough to understand that 0x8000 is the same as
> 0x800000000.
huh?
> Also, we need to decide what the default behavior should be.
> For our tests, there would be considerably less impact if:
> "auditctl -a entry,always -S chmod"
> would result in two rules being added:
> auditctl -a entry,always -S chmod -F arch=32
> auditctl -a entry,always -S chmod -F arch=64
This adds 2 rules for my machine which is not 64 bit capable. Every rule added
slows the whole system down everytime there's the potential to generate an
audit event.
> Also from the user point of view, if they want to audit chmod syscalls,
> they more likely want to audit all of them, not just 32bit or 64bit
> versions of them.
I suspect that a user on a 64 bit machine may think this way. Its waste for 32
bit machines.
-Steve
More information about the Linux-audit
mailing list