auditd design decision
Steve Grubb
sgrubb at redhat.com
Mon Jan 10 18:25:30 UTC 2005
On Saturday 08 January 2005 15:09, Timothy R. Chavez wrote:
> I think it'd be easy for the time being to insert watch points at
> auditd start up and remove watch points at auditd shut down. Or if
> you prefer not to add code to auditd, we can do something like:
>
> Insert watch points:
> ./auditctl -W watch.list
>
> Remove watch points:
> ./auditctl -w watch.list
I view the audit rules in much the same way as IP Tables. I don't think the
daemon should do the loading. What I was going to do was create an option to
take the commandline options from a file. It would read the file to its end
loading a rule with each newline.
You might want to create the syntax for loading 1 watch point. The file option
will load everything for you. This is the direction I'm planning to take the
initscripts.
-Steve
More information about the Linux-audit
mailing list