key in syscall audit rules.
Klaus Weidner
klaus at atsec.com
Wed May 18 19:03:44 UTC 2005
On Wed, May 18, 2005 at 05:01:50PM +0100, David Woodhouse wrote:
> It doesn't actually need to be mapped by auditd before it hits the log.
> Storing it as-is in the log probably makes more sense.
Storing only numbers makes it very hard to interpret older log entries;
the mapping table can potentially change at any time, and there's no sane
way to track the history of all changes to watches to do that.
I don't object to storing only numbers in the kernel and mapping in
userspace, but the mapping back to strings would need to happen before
they end up in the log.
-Klaus
More information about the Linux-audit
mailing list