audit 0.6.10 released
Debora Velarde
dvelarde at us.ibm.com
Wed Apr 6 22:32:39 UTC 2005
> > 2. auditctl is smart enough to understand that 0x8000 is the same as
> > 0x800000000.
> huh?
Nevermind, not important if we go with the 'arch=64' 'arch=32' idea.
> > Also, we need to decide what the default behavior should be.
> > For our tests, there would be considerably less impact if:
> > "auditctl -a entry,always -S chmod"
> > would result in two rules being added:
> > auditctl -a entry,always -S chmod -F arch=32
> > auditctl -a entry,always -S chmod -F arch=64
> This adds 2 rules for my machine which is not 64 bit capable. Every rule
added
> slows the whole system down everytime there's the potential to generate
an
> audit event.
Is it possible for auditctl to determine if it is on a 64bit capable
system, if so it will add both rules.
Otherwise it will only add the arch=32 bit rule?
> > Also from the user point of view, if they want to audit chmod syscalls,
> > they more likely want to audit all of them, not just 32bit or 64bit
> > versions of them.
> I suspect that a user on a 64 bit machine may think this way. Its waste
for 32
> bit machines.
I realize our evaluation isn't the only thing to consider. But, most of
the systems in our evaluation are 64bit.
-debbie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050406/f5fef468/attachment.htm>
More information about the Linux-audit
mailing list