key in syscall audit rules.
Steve Grubb
sgrubb at redhat.com
Tue May 17 20:47:26 UTC 2005
On Tuesday 17 May 2005 16:38, David Woodhouse wrote:
> That would be hard to introduce into audit rules without breaking binary
> compatibility.
Could the string go at the end? Then based on nlmsg_len, either have the old
behavior or the new.
> The way it's done, you have 4 milliard possible keys for
> syscall auditing rules. Do you really think that's insufficient?
Its not that its insufficient - its not the same. The patch uses a number
while filesystem auditing is a text string. The idea is to provide a like
feature regardless of what kind of audit rule.
-Steve
More information about the Linux-audit
mailing list