key in syscall audit rules.

[David Woodhouse]

On Wed, 2005-05-18 at 16:17 -0500, Klaus Weidner wrote:
> I'm confused, I thought we had agreed that this needs to be in the
> audit daemon since there's no easy way for ausearch to make sense of
> entries older than the current ruleset. I don't think that it would be
> a noticeable performance hit, it's just a matter of looking up the
> numbered entry in a string array and appending it to the record.

I suspect that the need to "make sense of entries older than the current
ruleset" is a red herring. 

In practice you're not going to be constantly screwing with the rules --
and if you are, you've got more to worry about than the fairly useless
information about _why_ a given action actually ended up triggering a
log entry.

Even if you _are_ constantly screwing with the rules, there's no need to
re-use keys until you've actually cycled through the whole 4 milliard or
so numbers you have available. There's absolutely no need for them to be
ambiguous unless the user is being silly about it.

Mangling strings with purely cosmetic data in them is not a task for the
kernel. I'd suggest that it isn't a task for auditd either.

-- 
dwmw2