[PATCH] auditfs updates to .46
David Woodhouse
dwmw2 at infradead.org
Thu May 26 13:07:02 UTC 2005
On Thu, 2005-05-26 at 08:49 -0400, Steve Grubb wrote:
> This seems like a source of unintended error. How do we let the system admin
> know that they've lost events because they needed to specify possible?
The same way we let the sysadmin know that they've lost events because
they needed to specify a rule for whatever they wanted to watch -- i.e.
not at all, because it's not up to us to second-guess possible errors in
the configuration.
> Could an audit context be created on demand?
Perhaps, but not nicely. And by that time we've already failed to log
the syscall information at syscall_audit_entry() anyway.
We could perhaps create one and record partial information, but I'm not
sure I see the point. If the admin said that this task wasn't to be
audited, why would we disobey?
> The fact that it's a watched inode would indicate that auditing is
> intended.
Conversely, the fact that it's a task for which no auditing was
specified would indicate that auditing is not intended.
--
dwmw2
More information about the Linux-audit
mailing list