[RFC][PATCH 2/2] (#6 U2) filesystem auditing
Steve Grubb
sgrubb at redhat.com
Tue Mar 29 16:46:15 UTC 2005
On Tuesday 29 March 2005 10:55, Timothy R. Chavez wrote:
> I tried to explain to you why I felt it wouldn't be a good
> idea to just dump the strings. What you'd get right now is something like:
>
> 'name=foo, filterkey=fk_foo, permissions=15'
I think this is good enough. It should be returned in a structure. That's what
rules does. Userspace interprets the structure and prints it. Let's reuse
current structures instead of making new ones.
> To me, this isn't that informative, because you have no idea where 'foo'
> is. I mean, I can add this, if this is what you want
But since you have "name=foo", you could also go ahead and look up that path
and return the additional data that you were wanting to return. This needs to
be real simple (from the user's perspective) to be effective.
> -- it can use the
> same master list that the "remove all" feature will eventually use.
You don't need a remove all. This can be done in userspace just like the
rules. I get the list and bounce it back with a remove. Let's keep it simple.
-Steve
More information about the Linux-audit
mailing list