key in syscall audit rules.
Steve Grubb
sgrubb at redhat.com
Wed May 18 21:35:34 UTC 2005
On Wednesday 18 May 2005 17:17, Klaus Weidner wrote:
> I'm confused, I thought we had agreed that this needs to be in the audit
> daemon
David misquoted. audit daemon does not alter records. There's no time. It
would also have to track all changes to ruleset and re-read labels.
> since there's no easy way for ausearch to make sense of entries
> older than the current ruleset.
That's correct. That's why doing it in user space is bad.
-Steve
More information about the Linux-audit
mailing list