key in syscall audit rules.
Steve Grubb
sgrubb at redhat.com
Thu May 19 12:41:00 UTC 2005
On Thursday 19 May 2005 08:17, David Woodhouse wrote:
> Mangling strings with purely cosmetic data in them is not a task for the
> kernel. I'd suggest that it isn't a task for auditd either.
There is another reason why text strings are preferable. It may take 5-6 audit
rules to cover a scenario. How do you know these rules go together to cover a
scenario when you are doing post-mortem analysis? Also, the analysis may be
done on a different machine from the one the data was collected on. I can
also see that we may have a combination of filesystem and syscall rules that
go together to cover a scenario.
-Steve
More information about the Linux-audit
mailing list