VFS hooks analysis (pass 1)
Steve Grubb
sgrubb at redhat.com
Fri Sep 9 15:42:03 UTC 2005
On Friday 09 September 2005 11:31, Linda Knippers wrote:
> I also think there's too much duplicate information in the audit records
> today with alot of the same information in the watch records and in the
> syscall records that caused the watch records to be emitted.
True.
> Are there cases where a watch record is appropriate by itself without a
> syscall record?
Not that I know of. You need the subject and the outcome.
> If not, then we could pull alot of the information out of the watch record
> since the same information is available in the syscall records.
This is what I would like to do.
> Can streamlining the audit informatin be looked at as part of this
> activity or should it be a separate effort?
I think this is separate. We could streamline today and then the new code
pickup those changes
-Steve
More information about the Linux-audit
mailing list