key in syscall audit rules.

[Timothy R. Chavez]

On Friday 20 May 2005 13:21, Steve Grubb wrote:
<snip>
> I can think of more good reasons...but I think David wants to hear from 
other 
> people than myself.

We should talk on Tuesday and list and prioritize everything, including the 
"nice to haves", that are left to do for development in both the kernel and 
user space.  If this work is not _needed_ for the CAPP evaluation then it 
should be done after the freeze, IMO.  It is a very useful feature, no doubt, 
but there's a greater goal here

> Then there is another part to the question...should the  
> key be numeric or a text string?
> 
> For human factors, I believe it should be a string. It would be good for 
other 
> people to state an opinion. Additionally, by having only a number for 
syscall 
> auditing - if you want to make it correlate with filesystem auditing, you 
> will have to choose a number also so searching produces the right results.
> 

I personally think keys are best stored numerically as hashes (a kind of 
cookie if you will) in the kernel and then, if need be, translated into 
something more meaningful to human eyes in userland.  However, we just don't 
have the resources right now to fully develop and test this strategy.  And, 
if we only go half way and convert them to numeric representations, this will 
do no good for the administrator and we might as well not have them at all 
(which isn't acceptable).

Grouping rules together and associating records can be done other ways without 
the use of a string key.  For instance, we could add rules to "groups" such 
that one could correlate records by this association (which would just be an 
integer id)....  This would require a list of lists rather then just a list, 
for rules.  Again, resources would be the limiting factor.  Anyway, I'm a 
dreamer and it's Friday.

-tim

> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
> 
> 

-- 
-tim