audit 0.6.10 released
Chris Wright
chrisw at osdl.org
Thu Apr 7 00:39:24 UTC 2005
* Debora Velarde (dvelarde at us.ibm.com) wrote:
> > > Also, we need to decide what the default behavior should be.
> > > For our tests, there would be considerably less impact if:
> > > "auditctl -a entry,always -S chmod"
> > > would result in two rules being added:
> > > auditctl -a entry,always -S chmod -F arch=32
> > > auditctl -a entry,always -S chmod -F arch=64
>
> > This adds 2 rules for my machine which is not 64 bit capable. Every rule
> added
> > slows the whole system down everytime there's the potential to generate
> an
> > audit event.
>
> Is it possible for auditctl to determine if it is on a 64bit capable
> system, if so it will add both rules.
> Otherwise it will only add the arch=32 bit rule?
I'd expect that adding a rule with arch=64 on a 32bit machine would fail.
But, arch=32/64 doesn't look like the right solution. We are exposing
the underlying architecture which is more granular that 32 vs. 64 bit.
It includes various architectures as well. Why not keep this value
the same as the output in the audit message? And if it's done as it
currently is, the records could (theoretically) be parsed on a machine
with a different cpu arch than the machine that generated the record.
thanks,
-chris
More information about the Linux-audit
mailing list