audit.56 merged with audit-2.6.git
Timothy R. Chavez
tinytim at us.ibm.com
Thu Jun 9 16:22:55 UTC 2005
On Thursday 09 June 2005 11:11, Timothy R. Chavez wrote:
> On Thursday 09 June 2005 11:09, Steve Grubb wrote:
> > On Thursday 09 June 2005 11:13, Timothy R. Chavez wrote:
> > > Have you tried using the syscall (inode,dev)-based filter rules?
> >
> > Files that are deleted and created can have new inode numbers. Examples are
> > rotating audit logs and updating /etc/shadow.
>
> Then use both?
>
I see what you're saying though.
I'm really not sure about hooking all these other system calls. If we can get CAPP
without it, then we should hold off, and submit a patch for these at a later date.
-tim
More information about the Linux-audit
mailing list