key in syscall audit rules.
Timothy R. Chavez
tinytim at us.ibm.com
Wed May 18 15:28:01 UTC 2005
On Wednesday 18 May 2005 07:18, Steve Grubb wrote:
> On Wednesday 18 May 2005 01:29, David Woodhouse wrote:
> > How about we change the latter then?
>
> Then it severely impacts usability. Which is more meaningful to end users:
>
> "attempted-shadow-write" or "9" ?
Well "9" (or rather a 32b/64b hash) could map to something in a userland table
of sorts which would produce "attempted-shadow-write" before it got to the
log. There's most definitely a space savings here and we shouldn't be so
free to use kernel memory as we do user memory, but is it really worth all
the extra complexity to try to decipher the meaning of "9" in userland?
IMHO, no. *shrug*
If we do decide to go with a string may we should consider a slab cache of
keys that both the file system watches and syscalls can us?
-tim
More information about the Linux-audit
mailing list