VFS hooks analysis (pass 1)
Linda Knippers
linda.knippers at hp.com
Fri Sep 9 15:31:22 UTC 2005
>>> The downside to this is that there may be extra records in the audit log,
>>> some of which (depending on the admin) may be considered cruft
>
> I don't think extra records is a given. We could implement it so
> there wouldn't be duplicate records.
I think duplicate records are bad and we really should strive to avoid
them. They waste time and space.
I also think there's too much duplicate information in the audit records
today with alot of the same information in the watch records and in the
syscall records that caused the watch records to be emitted. Are there
cases where a watch record is appropriate by itself without a syscall
record? If not, then we could pull alot of the information out of
the watch record since the same information is available in the syscall
records.
Can streamlining the audit informatin be looked at as part of this
activity or should it be a separate effort?
-- ljk
More information about the Linux-audit
mailing list