key in syscall audit rules.
Klaus Weidner
klaus at atsec.com
Wed May 18 21:17:19 UTC 2005
On Wed, May 18, 2005 at 04:42:11PM -0400, Steve Grubb wrote:
> On Wednesday 18 May 2005 16:33, Casey Schaufler wrote:
> > We've hashed the notion of intellegence in audit
> > daemons before, and the danger that mapping in
> > real time will fail remains
>
> We aren't really talking about doing anything in the audit daemon. It doesn't
> have time. We are discussing having ausearch interpret the audit key with the
> current rules vs the kernel emitting it as part of the message so there's no
> version control issues later.
I'm confused, I thought we had agreed that this needs to be in the audit
daemon since there's no easy way for ausearch to make sense of entries
older than the current ruleset. I don't think that it would be a
noticeable performance hit, it's just a matter of looking up the numbered
entry in a string array and appending it to the record.
-Klaus
More information about the Linux-audit
mailing list