splitting up auditctl
Steve Grubb
sgrubb at redhat.com
Fri Sep 23 19:01:24 UTC 2005
On Friday 23 September 2005 14:47, Timothy R. Chavez wrote:
> For instance, adding and removing rules could be done by the 'aurule'
> command, leaving 'auditctl' to handle things like backlog, rate limits,
> enabling and disabling of the audit subsystem, etc. I have to admit, I
> quite like the idea.
aurule would need to be able to increase the backlog limit and set failure
mode in order to handle the capp rules that is part of the package. So, you
wouldn't really gain much.
> I'm not a big fan of all-in-wonder tools and that if we could, we should
> split auditctl up before it turns into a menagerie of ideas that are linked
> simply by the fact they interact or utilize the audit subsystem in some
> way, shape, or form.
auditctl has a very simple mission. Load, delete, and list rules. Nothing
else. It will not be growing in the future other than to accommodate new rule
syntax. I would like to get rid of the "-t" option as I feel it doesn't fit
what auditctl should do.
I guess when you think about it, auditctl is aurule.
-Steve
More information about the Linux-audit
mailing list