is this message necessary?
Steve Grubb
sgrubb at redhat.com
Thu Nov 10 11:17:50 UTC 2005
On Wednesday 09 November 2005 19:14, Linda Knippers wrote:
> Since all the information is known at the point where the current audit
> records are generated (I think that's the case), couldn't we just include
> more information in the record?
Yes, but not much.
> I don't see the userspace connection here but I could be missing something.
"auditctl -l" does a full formatting of each rule. What I was referring to is
that to get the rule in the logs exactly as sent would duplicate that
functionality.
For syscalls, about all you can put is list number & syscall number(s). For
watches, path and key. Going beyond that will be a lot of formatting that
adds bloat. You can take a look at the code that does "auditctl -l"
formatting to see what it takes.
So, who's gonna do it?
-Steve
More information about the Linux-audit
mailing list