key in syscall audit rules.
David Woodhouse
dwmw2 at infradead.org
Wed May 18 16:01:50 UTC 2005
On Wed, 2005-05-18 at 10:28 -0500, Timothy R. Chavez wrote:
> Well "9" (or rather a 32b/64b hash) could map to something in a userland table
> of sorts which would produce "attempted-shadow-write" before it got to the
> log. There's most definitely a space savings here and we shouldn't be so
> free to use kernel memory as we do user memory, but is it really worth all
> the extra complexity to try to decipher the meaning of "9" in userland?
> IMHO, no. *shrug*
Agreed. Can you change the auditfs patch to use numeric keys in the next
incarnation, please? This kind of thing really doesn't live in the
kernel.
It doesn't actually need to be mapped by auditd before it hits the log.
Storing it as-is in the log probably makes more sense.
--
dwmw2
More information about the Linux-audit
mailing list